PrestaShop
{{#include ../../banners/hacktricks-training.md}}
Perl backticks/qx// sinks in Apache mod_perl handlers (reachability and exploitation)
Real-world pattern: Perl code builds a shell command string and executes it via backticks (or qx//). In a mod_perl AccessHandler, attacker-controlled request components like $r->uri() can flow into that string. If any branch concatenates raw input and then evaluates it with a shell, you get pre-auth RCE.
Risky Perl execution primitives (spawn a shell when given a single string):
- Backticks / qx//: my $out = cmd ...;
- system with a single string: system("/bin/sh -c '...'") implicitly
- open with a pipe: open my $fh, "cmd |" or "| cmd"
- IPC::Open3 with a single string
Minimal vulnerable shape observed in the wild:
sub getCASURL {
...
my $exec_cmd = "...";
if ($type eq 'login') {
$exec_cmd .= $uri; # $uri from $r->uri() → attacker-controlled
my $out = `$exec_cmd`; # backticks = shell
}
}
Key reachability considerations in mod_perl:
- Handler registration: httpd.conf must route requests into your Perl module, e.g. PerlModule MOD_SEC_EMC::AccessHandler and configuration that invokes AccessHandler::handler for a path scope.
- Triggering the vulnerable branch: force the unauthenticated login flow so type == "login" (e.g., omit the expected auth cookie).
- Resolvable path: ensure your request targets a URI that resolves within the configured scope. If Apache never routes the request through the handler, the sink isn’t reached.
Exploitation workflow
1) Inspect httpd.conf for PerlModule/MOD_PERL handler scopes to find a resolvable path processed by the handler.
2) Send an unauthenticated request so the login redirect path is taken (type == "login").
3) Place shell metacharacters in the request-URI path so $r->uri() carries your payload into the command string.
Example HTTP PoC (path injection via ';')
GET /ui/health;id HTTP/1.1
Host: target
Connection: close
Tips
- Try separators: ;, &&, |,
backticks, $(...), and encoded newlines (%0A) depending on quoting.- If earlier patches quote other args but not the URI in one branch, payloads appended at the end of the string often work: ;id# or &&/usr/bin/id#
Hardening (Perl)
- Do not build shell strings. Prefer argument-vector execution: system('/usr/bin/curl', '--silent', '--', $safe_url) — no shell.
- If a shell is unavoidable, escape strictly and consistently across all branches; treat $r->uri() as hostile. Consider URI::Escape for paths/queries and strong allowlists.
- Avoid backticks/qx// for command execution; capture output via open3/list form if truly needed without invoking a shell.
- In mod_perl handlers, keep auth/redirect code paths free of command execution or ensure identical sanitization across branches to avoid “fixed everywhere but one branch” regressions.
Vulnerability hunting
- Patch-diff modules that assemble shell commands; look for inconsistent quoting between branches (e.g., if ($type eq 'login') left unescaped).
- Grep for backticks, qx//, open\s(|||, and system\s(\s*" to find string-based shells. Build a call graph from sink to request entry ($r) to verify pre-auth reachability.
Real-world case: Dell UnityVSA pre-auth RCE (CVE-2025-36604)
- Pre-auth command injection via backticks in AccessTool.pm:getCASURL when type == "login" concatenated raw $uri ($r->uri()).
- Reachable through MOD_SEC_EMC::AccessHandler → make_return_address($r) → getCASLoginURL(..., type="login") → getCASURL(..., $uri, 'login').
- Practical nuance: use a resolvable path covered by the handler; otherwise the module won’t execute and the sink won’t be hit.
References
- It’s Never Simple Until It Is: Dell UnityVSA Pre‑Auth Command Injection (CVE‑2025‑36604)
- Dell PSIRT DSA‑2025‑281 – Security update for Dell Unity/UnityVSA/Unity XT
- watchTowr Detection Artefact Generator – Dell UnityVSA Pre‑Auth CVE‑2025‑36604
{{#include ../../banners/hacktricks-training.md}}