Open p5pRT opened 9 years ago
Hello Team\,
Please find attached report for vulnerability (I Think) I've identified in Perl5 for Windows.
Hope it helps.
Regards\, Shrivathsa Bhat.
On Tue Jan 20 10:53:18 2015\, sshbhat@gmail.com wrote:
Hello Team\,
Please find attached report for vulnerability (I Think) I've identified in Perl5 for Windows.
PDF version for anyone who doesn't want to deal with Word.
Tony
The RT System itself - Status changed from 'new' to 'open'
On Tue\, Jan 20\, 2015 at 02:13:07PM -0800\, Tony Cook via RT wrote:
On Tue Jan 20 10:53:18 2015\, sshbhat@gmail.com wrote:
Hello Team\,
Please find attached report for vulnerability (I Think) I've identified in Perl5 for Windows.
PDF version for anyone who doesn't want to deal with Word.
and the TL;DR: version:
#! usr/bin/perl system('ECHO'\,'Hiii &""calc'); #PoC to ECHO the value system('SET'\,'TEST'\,'Hiii &""calc'); #To set value to CMD environment variables
These both launch 'calc' apparently\, in apparent violation of the 'multiple args bypasses the shell' rule.
However\, in perlport\, it says:
C\
Not being a win32 person\, I don't know whether that is the case here.
-- The Enterprise successfully ferries an alien VIP from one place to another without serious incident. -- Things That Never Happen in "Star Trek" #7
On Tue\, Jan 20\, 2015 at 10:52:12PM +0000\, Dave Mitchell wrote:
On Tue\, Jan 20\, 2015 at 02:13:07PM -0800\, Tony Cook via RT wrote:
On Tue Jan 20 10:53:18 2015\, sshbhat@gmail.com wrote:
Hello Team\,
Please find attached report for vulnerability (I Think) I've identified in Perl5 for Windows.
PDF version for anyone who doesn't want to deal with Word.
and the TL;DR: version:
\#\! usr/bin/perl system\('ECHO'\,'Hiii &""calc'\); \#PoC to ECHO the value system\('SET'\,'TEST'\,'Hiii &""calc'\); \#To set value to CMD environment variables
These both launch 'calc' apparently\, in apparent violation of the 'multiple args bypasses the shell' rule.
This is a problem for pipe open too.
However\, in perlport\, it says:
C\<system LIST> without the use of indirect object syntax \(C\<system PROGRAM LIST>\) may fall back to trying the shell if the first spawn\(\) fails\. \(Win32\)
Not being a win32 person\, I don't know whether that is the case here.
Yes\, that falls back to the shell\, both echo and set are cmd.exe built-ins\, but we might be able to improve on how we deal with the shell.
win32.c already has code that converts the array into a single string (create_command_line())\, which attempts to deal with cmd.exe's idiosyncrasies.
I'm working on an improvement that escapes specials like & and | with cmd.exe's escape character "^".
I'll post a patch once it's ready.
Tony
Thank you\,
I thought same\, When system() is giving syntax like system($command\, @arguments); Then\, it would be better if not execute command otherthan $command.
Anyway I'll go through perlport again to get better way to use shell commands and meanwhile I'll keep my eyes open for this patch.
Regards\, Shrivathsa Bhat. On Jan 21\, 2015 5:59 AM\, "Tony Cook via RT" \perl5\-security\-report@​perl\.org wrote:
On Tue\, Jan 20\, 2015 at 10:52:12PM +0000\, Dave Mitchell wrote:
On Tue\, Jan 20\, 2015 at 02:13:07PM -0800\, Tony Cook via RT wrote:
On Tue Jan 20 10:53:18 2015\, sshbhat@gmail.com wrote:
Hello Team\,
Please find attached report for vulnerability (I Think) I've identified in Perl5 for Windows.
PDF version for anyone who doesn't want to deal with Word.
and the TL;DR: version:
\#\! usr/bin/perl system\('ECHO'\,'Hiii &""calc'\); \#PoC to ECHO the value system\('SET'\,'TEST'\,'Hiii &""calc'\); \#To set value to CMD
environment variables
These both launch 'calc' apparently\, in apparent violation of the 'multiple args bypasses the shell' rule.
This is a problem for pipe open too.
However\, in perlport\, it says:
C\<system LIST> without the use of indirect object syntax \(C\<system PROGRAM LIST>\) may fall back to trying the shell if the first spawn\(\) fails\. \(Win32\)
Not being a win32 person\, I don't know whether that is the case here.
Yes\, that falls back to the shell\, both echo and set are cmd.exe built-ins\, but we might be able to improve on how we deal with the shell.
win32.c already has code that converts the array into a single string (create_command_line())\, which attempts to deal with cmd.exe's idiosyncrasies.
I'm working on an improvement that escapes specials like & and | with cmd.exe's escape character "^".
I'll post a patch once it's ready.
Tony
On Thu Jan 22 01:53:05 2015\, sshbhat@gmail.com wrote:
Thank you\,
I thought same\, When system() is giving syntax like system($command\, @arguments); Then\, it would be better if not execute command otherthan $command.
Anyway I'll go through perlport again to get better way to use shell commands and meanwhile I'll keep my eyes open for this patch.
I've spent some time on this\, at this point I don't think it's possiblle to escape shell-builtins without breaking other parts of the perl eco-system.
The only real fix would be to disable the fallback to the shell\, which would make the behaviour closer to POSIX systems.
It might be worth removing that behaviour from the multi-arg pipe open I added before 5.22 is released.
Tony
* Tony Cook via RT \perl5\-security\-report@​perl\.org [2015-02-03T22:17:57]
It might be worth removing that behaviour from the multi-arg pipe open I added before 5.22 is released.
That's probably worth doing.
I think any further changes should probably wait until 5.23\, but I'm not sure we can safely make any changes to the default behavior. Possibly with a pragma. Blah. :(
-- rjbs
On Wed\, Feb 4\, 2015 at 4:17 AM\, Tony Cook via RT \< perl5-security-report@perl.org> wrote:
I've spent some time on this\, at this point I don't think it's possiblle to escape shell-builtins without breaking other parts of the perl eco-system.
I suspect the same. I've long considered system() on Win32 to be broken (in ways that I don't even want to grok)\, but Win32::ShellQuote is my friend that manages to fix things up. I'd prefer not needing it though.
The only real fix would be to disable the fallback to the shell\, which would make the behaviour closer to POSIX systems.
That sounds rather sensible.
It might be worth removing that behaviour from the multi-arg pipe open I added before 5.22 is released.
Yes\, that would be nice.
Leon
On Wed Feb 04 07:57:55 2015\, LeonT wrote:
On Wed\, Feb 4\, 2015 at 4:17 AM\, Tony Cook via RT \< perl5-security-report@perl.org> wrote:
I've spent some time on this\, at this point I don't think it's possiblle to escape shell-builtins without breaking other parts of the perl eco-system.
I suspect the same. I've long considered system() on Win32 to be broken (in ways that I don't even want to grok)\, but Win32::ShellQuote is my friend that manages to fix things up. I'd prefer not needing it though.
The only real fix would be to disable the fallback to the shell\, which would make the behaviour closer to POSIX systems.
That sounds rather sensible.
It might be worth removing that behaviour from the multi-arg pipe open I added before 5.22 is released.
Yes\, that would be nice.
Patch attached. I'll apply it next week unless someone objects.
Tony
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Tony
On Tue Feb 24 01:09:44 2015\, tonyc wrote:
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Here's a deprecation patch.
Tony
On Tue\, Nov 01\, 2016 at 03:55:45PM -0700\, Tony Cook via RT wrote:
On Tue Feb 24 01:09:44 2015\, tonyc wrote:
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Here's a deprecation patch.
Tony
From 6e789b3df95e0c5c29a9b84cef8d28c28f349001 Mon Sep 17 00:00:00 2001 From: Tony Cook \tony@​develop\-help\.com Date: Wed\, 2 Nov 2016 09:51:20 +1100 Subject: [PATCH] (perl #123638) deprecate fallback to shell on Win32 [snip] +=item system(LIST) fallback to shell deprecated
What's the current status of this patch and this ticket?
-- You never really learn to swear until you learn to drive.
On Thu\, 02 Feb 2017 05:55:52 -0800\, davem wrote:
On Tue\, Nov 01\, 2016 at 03:55:45PM -0700\, Tony Cook via RT wrote:
On Tue Feb 24 01:09:44 2015\, tonyc wrote:
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Here's a deprecation patch.
Tony
From 6e789b3df95e0c5c29a9b84cef8d28c28f349001 Mon Sep 17 00:00:00 2001 From: Tony Cook \tony@​develop\-help\.com Date: Wed\, 2 Nov 2016 09:51:20 +1100 Subject: [PATCH] (perl #123638) deprecate fallback to shell on Win32 [snip] +=item system(LIST) fallback to shell deprecated
What's the current status of this patch and this ticket?
Do we deprecate system(LIST) falling back to the shell or not?
Tony
On Mon\, Feb 20\, 2017 at 12:54 AM\, Tony Cook via RT \perl5\-security\-report@​perl\.org wrote:
On Thu\, 02 Feb 2017 05:55:52 -0800\, davem wrote:
On Tue\, Nov 01\, 2016 at 03:55:45PM -0700\, Tony Cook via RT wrote:
On Tue Feb 24 01:09:44 2015\, tonyc wrote:
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Here's a deprecation patch.
Tony
From 6e789b3df95e0c5c29a9b84cef8d28c28f349001 Mon Sep 17 00:00:00 2001 From: Tony Cook \tony@​develop\-help\.com Date: Wed\, 2 Nov 2016 09:51:20 +1100 Subject: [PATCH] (perl #123638) deprecate fallback to shell on Win32 [snip] +=item system(LIST) fallback to shell deprecated
What's the current status of this patch and this ticket?
Do we deprecate system(LIST) falling back to the shell or not?
I thought this is what we decided. No?
On Mon\, Feb 20\, 2017 at 02:56:46PM +0200\, Sawyer X wrote:
On Mon\, Feb 20\, 2017 at 12:54 AM\, Tony Cook via RT \perl5\-security\-report@​perl\.org wrote:
On Thu\, 02 Feb 2017 05:55:52 -0800\, davem wrote:
On Tue\, Nov 01\, 2016 at 03:55:45PM -0700\, Tony Cook via RT wrote:
On Tue Feb 24 01:09:44 2015\, tonyc wrote:
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Here's a deprecation patch.
Tony
From 6e789b3df95e0c5c29a9b84cef8d28c28f349001 Mon Sep 17 00:00:00 2001 From: Tony Cook \tony@​develop\-help\.com Date: Wed\, 2 Nov 2016 09:51:20 +1100 Subject: [PATCH] (perl #123638) deprecate fallback to shell on Win32 [snip] +=item system(LIST) fallback to shell deprecated
What's the current status of this patch and this ticket?
Do we deprecate system(LIST) falling back to the shell or not?
I thought this is what we decided. No?
I don't know. There hasn't been much discussion\, pro or con\, in this ticket. Given that once the deprecation is applied to blead the issue effectively becomes public without being immediately fixed\, I suggest we might as well move this ticket to the public queue and open up the deprecation warning proposal to wider discussion.
-- Never work with children\, animals\, or actors.
On Mon\, Mar 13\, 2017 at 2:27 PM\, Dave Mitchell \davem@​iabyn\.com wrote:
On Mon\, Feb 20\, 2017 at 02:56:46PM +0200\, Sawyer X wrote:
On Mon\, Feb 20\, 2017 at 12:54 AM\, Tony Cook via RT \perl5\-security\-report@​perl\.org wrote:
On Thu\, 02 Feb 2017 05:55:52 -0800\, davem wrote:
On Tue\, Nov 01\, 2016 at 03:55:45PM -0700\, Tony Cook via RT wrote:
On Tue Feb 24 01:09:44 2015\, tonyc wrote:
On Wed Feb 04 21:39:04 2015\, tonyc wrote:
Patch attached. I'll apply it next week unless someone objects.
Applied as f5fe1b19fc61e51b533b25b128ec7a6f764372da with an updated comment.
This does *not* fix the original issue.
I think we'd need to go through a deprecation cycle to fix that by removing the fallback.
Here's a deprecation patch.
Tony
From 6e789b3df95e0c5c29a9b84cef8d28c28f349001 Mon Sep 17 00:00:00 2001 From: Tony Cook \tony@​develop\-help\.com Date: Wed\, 2 Nov 2016 09:51:20 +1100 Subject: [PATCH] (perl #123638) deprecate fallback to shell on Win32 [snip] +=item system(LIST) fallback to shell deprecated
What's the current status of this patch and this ticket?
Do we deprecate system(LIST) falling back to the shell or not?
I thought this is what we decided. No?
I don't know. There hasn't been much discussion\, pro or con\, in this ticket. Given that once the deprecation is applied to blead the issue effectively becomes public without being immediately fixed\, I suggest we might as well move this ticket to the public queue and open up the deprecation warning proposal to wider discussion.
Let's do that.
I've just moved this ticket to the public queue. The remaining issue to be discussed is for win32 system(): it will sometimes fallback to using the shell\, even with individual arguments. It's been proposed that this behaviour should be deprecated:
+=item system(LIST) fallback to shell deprecated + +(W deprecated) C\<system(LIST)> on Win32 currently falls back to the +shell if the supplied program name cannot be found. + +The Win32 API to create a new process only accepts a single string for +the process arguments\, so to emulate the behaviour on POSIX systems\, +perl quotes the arguments in the same way as most software on Win32. + +Unfortunately the Win32 shell accepts arguments escaped in a different +way to most other Win32 software\, which can be used by an attacker.
Can anyone see a reason not to do this? [NB: I am just the messenger; I have no opinion on this]
-- Dave's first rule of Opera: If something needs saying\, say it: don't warble it.
On Mon\, 20 Mar 2017 02:37:31 -0700\, davem wrote:
I've just moved this ticket to the public queue. The remaining issue to be discussed is for win32 system(): it will sometimes fallback to using the shell\, even with individual arguments. It's been proposed that this behaviour should be deprecated:
+=item system(LIST) fallback to shell deprecated + +(W deprecated) C\<system(LIST)> on Win32 currently falls back to the +shell if the supplied program name cannot be found. + +The Win32 API to create a new process only accepts a single string for +the process arguments\, so to emulate the behaviour on POSIX systems\, +perl quotes the arguments in the same way as most software on Win32. + +Unfortunately the Win32 shell accepts arguments escaped in a different +way to most other Win32 software\, which can be used by an attacker.
Can anyone see a reason not to do this? [NB: I am just the messenger; I have no opinion on this]
This code in miniperl uses shell execute to run a builtin on Win32.
-- bulk88 ~ bulk88 at hotmail.com
On Thu\, Mar 30\, 2017 at 04:29:58PM -0700\, bulk88 via RT wrote:
On Mon\, 20 Mar 2017 02:37:31 -0700\, davem wrote:
I've just moved this ticket to the public queue. The remaining issue to be discussed is for win32 system(): it will sometimes fallback to using the shell\, even with individual arguments. It's been proposed that this behaviour should be deprecated:
+=item system(LIST) fallback to shell deprecated + +(W deprecated) C\<system(LIST)> on Win32 currently falls back to the +shell if the supplied program name cannot be found. + +The Win32 API to create a new process only accepts a single string for +the process arguments\, so to emulate the behaviour on POSIX systems\, +perl quotes the arguments in the same way as most software on Win32. + +Unfortunately the Win32 shell accepts arguments escaped in a different +way to most other Win32 software\, which can be used by an attacker.
Can anyone see a reason not to do this? [NB: I am just the messenger; I have no opinion on this]
This code in miniperl uses shell execute to run a builtin on Win32.
That code doesn't use the list form of system() (or even system() at all).
Tony
Shortly after this issue was made public in RT, a related issue was submitted to the Perl security team by Noah Misch. This new issue was given the RT ticket number 131065 and became Perl/perl5-security#83 after the github migration.
Noah's report covered several different problems, but most of the discussion focused on a variation of this bug that stems from the way that Perl translates array argv parameters for subprocesses into the single CommandLine argument that Windows accepts for the CreateProcess() function and the default logic Windows uses to parse the stringified CommandLine back into an argv array.
This #14434 issue shows that Perl is quoting arguments incorrectly for cmd.exe, and the Perl/perl5-security#83 issue showed that a very similar problem applies when cmd.exe is not involved in spawning the subprocess.
This example code demonstrates the faulty behavior when cmd.exe is not involved:
Like the cmd.exe argument quoting problems, this additional variation is impossible to fix without breaking existing Perl code that uses Win32::ShellQuote to work around the current behavior.
@tonycoz proposed the following patch that adds a toggle to enables correct argument passing in both scenarios.
This issue is a duplicate of #8961 and #13190
Migrated from rt.perl.org#123638 (status was 'open')
Searchable as RT123638$