Why is perl -MO=Deparse -f obf.txt unsafe?

vpelss has asked for the wisdom of the Perl Monks concerning the following question:

It is my understanding, that perl -MO=Deparse does not actually run the PERL code. Is that correct?

If so, then why is the following run on a website able to be attacked?

open (TXTFILE , ">obf.txt");
print TXTFILE $string;
close(TXTFILE);
#deparse
$string = `perl -MO=Deparse -f obf.txt`;
[download]

I thought I read somewhere that "eval" (or was it an other PERL command?) actually ran the code during PERL's compiling phase, and therefore before the rest of the PERL code ran. Is that accurate? If so, maybe that is why it is unsafe.

I have tried many different attempts to attack that code on my home environment but with no success. So obviously the interent is safe from the likes of me.

For all the angry Perl Monks out there don't jump all over me because my previous searches on this topic came up empty ;)

Comment on Why is perl -MO=Deparse -f obf.txt unsafe? Download Code

Replies are listed 'Best First'.
Re: Why is perl -MO=Deparse -f obf.txt unsafe? by LanX (Saint) on Feb 06, 2016 at 17:53 UTC
> It is my understanding, that perl -MO=Deparse does not actually run the PERL code. Is that correct? No it isn't, Deparse needs to compile and BEGIN blocks are executed then. Just try `perl -c` with code printing in a BEGIN block. `perlrun` has more details. > -c > causes Perl to check the syntax of the program and then exit without executing it. Actually, it will execute andBEGIN , UNITCHECK , or CHECK blocks and any use statements: these are considered as occurring outside the execution of your program. INIT and END blocks, however, will be skipped. Also perlmod#BEGIN%2c-UNITCHECK%2c-CHECK%2c-INIT-and-END Cheers Rolf _{(addicted to the Perl Programming Language and ☆☆☆☆ :) Je suis Charlie!}	[reply] [d/l]
Re^2: Why is perl -MO=Deparse -f obf.txt unsafe? by vpelss (Initiate) on Feb 06, 2016 at 19:13 UTC
Ah, BEGIN.... So is that an oversight in the B::Deparse backend module or is there a useful reason perl -c runs the BEGIN code? Sure you show the warning in perlrun, but shouldn't there be a warning label or something on B::Deparse?	[reply]
Re^3: Why is perl -MO=Deparse -f obf.txt unsafe? by LanX (Saint) on Feb 06, 2016 at 19:54 UTC
Every `use` happens at begin time including the execution of `import` You can't compile without executing `use` and obviously you can't decompile without compiling. Welcome in the world of dynamic languages. :) Cheers Rolf _{(addicted to the Perl Programming Language and ☆☆☆☆ :) Je suis Charlie!} update Maybe you should clarify your intentions, this smells like an XY Problem	[reply] [d/l]
Re^3: Why is perl -MO=Deparse -f obf.txt unsafe? by Anonymous Monk on Feb 06, 2016 at 19:24 UTC
Its the parser that runs BEGIN blocks, not the deparser.	[reply]
Re: Why is perl -MO=Deparse -f obf.txt unsafe? by davido (Cardinal) on Feb 06, 2016 at 19:06 UTC
Here is an example of why it is unsafe: $ perl -MO=Deparse -ce 'BEGIN {print `date`}' Sat Feb 6 11:58:31 MST 2016 sub BEGIN { print `date`; } -e syntax OK [download] Run that one-liner, and we just executed a system command (`date`). We could just as easily have executed something malicious. Dave	[reply] [d/l] [select]

update