A little googling showed me the following (taken from here: http://artofhacking.com/files/phrack/phrack55/P55-07.TXT):

Quoting "Rain Forest Puppy":

You see, Perl allows NUL characters in its variables as data. Unlike C, NUL is not a string delimiter. So, "root" != "root\0". But, the underlying system/kernel calls are programmed in C, which DOES recognize NUL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NUL.

What if we had a script that allowed trusted junior admins to change passwords on anyone's account EXCEPT root? The code could be: 

    $user=$ARGV[1]  # user the jr admin wants to change
    if ($user ne "root"){
        # do whatever needs to be done for this user }

    (**NOTE: this is here in WAY simplistic form & theory just to
        illustrate the point)

[download]

So, if the jr. admin tries 'root' as the name, it won't do anything. But, if the jr. admin passes 'root\0', Perl will succeed the test, and execute the block. Now, when systems calls are piped out (unless it's all done in Perl, which is possible, but not likely), that NUL will be effectively dropped, and actions will be happening on root's record.

While this is not necessarily a security problem in itself, it is definitely an interesting feature to watch for. I've seen many CGIs that tack on a ".html" to some user-submitted form data for the resulting page. I.e. 

    
    page.cgi?page=1

[download]

winds up showing me 1.html. Semi-secure, because it adds ".html" page, so you'd think, at worst, it'd only show HTML pages. Well, if we send it 

    page.cgi?page=page.cgi%00      (%00 == '\0' escaped)

[download]

then the script will wind up feeding us a copy of its own source! Even a check with Perl's '-e' will fail: 

    $file="/etc/passwd\0.txt.whatever.we.want";
    die("hahaha!  Caught you!) if($file eq "/etc/passwd");
    if (-e $file){
        open (FILE, ">$file");}

[download]

This will succeed (if there is, in fact, an /etc/passwd), and open it for writing.

Solution? Simple! Remove NULs. In Perl, it's as simple as 

    
    $insecure_data=~s/\0//g;

[download]

Note: don't escape them with the rest of the shell metacharacters. Completely remove them.

Please note:The indented text is not my own, I just thought it answered Nik's question and formatted it for our forum.



--chargrill 
s**lil*;  $*=join'',sort split q**;  s;.*;grr; &&s+(.(.)).+$2$1+; $; =
qq-$_-;s,.*,ahc,;$,.=chop for split q,,,reverse;print for($,,$;,$*,$/)

[download]

In reply to Re: How to avoid Null Byte Injection by chargrill
in thread How to avoid Null Byte Injection? by Nik

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.