in reply to Re^5: Taint problems
in thread Taint problems

"cp real.pl evil.pl" is not reason enough to taint $0. Copying the file isn't "evil". It doesn't get you anything. For copying to be of any consequence, it would have to copy both the owner and the setuid bit. But if you can copy the owner, you can already impersonate the owner so it doesn't buy you anything you don't already have.

Replies are listed 'Best First'.
Re^7: Taint problems
by rowdog (Curate) on Dec 11, 2008 at 19:23 UTC

    Um, yeah, bad example, I was only trying to show how easy it is to manipulate $0.

    In C it's easy to manipulate argv[0] with the exec family. There are rather more sophisticated attacks as well. I learned a long time ago that you can't trust argv[0] or names in the process table.

    In any case, $0 isn't reliable and there's plenty of reasons to taint it, even if cp isn't the reason. I do, however, feel much better knowing that FindBin isn't as unsafe as I first thought.

[reply]

      I was only trying to show how easy it is to manipulate $0.

      Why are you trying to show that? Changing $0 isn't bad, as long as it points to the script being executed.

      there's plenty of reasons to taint it

      "Plenty"? I'd be interested in hearing some. I can only think of one, the ability to change the file to which the file name points after perl has read it. Mind you, that one reason is enough to warrant tainting.

      In C it's easy to manipulate argv[0] with the exec family

      Aye, for all binary executables, it's possible to execute the program will telling it it's a different file.

      That doesn't work work for script executables (such as Perl), because the interpreter must be able to locate the script to execute.

[reply]
[d/l]

        I was trying to show how easy it was to manipulate $0 because FindBin relies on it. In the "real world", no one uses FindBin just for curiosity, they use it to find related files. If I can fool FindBin, I can probably feed bogus data into the script by making it read my files instead of the owner's. Which could lead to a successful exploit. Which is why I was worried about FindBin in the first place.

        I agree that exec(3) alone is insufficient to exploit $0.

        I suppose that saying "there's plenty of reasons to taint" $0 is a bit imprecise. I agree that the challenge here is to point the filename to a different file but there are multiple attack vectors which might work (gaming the filesytem, a private, hacked, perl executable, doing "exec" without exec(3), etc). So, yes, one reason, but a number of ways to attack.

        On reflection, my opinion is that tainting is insufficient and relying on $0 (and thus FindBin) for anything is likely to be insecure. Usually, people untaint by pattern matching for allowed characters and a usefully bogus $0 could probably slip through. I don't really have the time or desire to work out the attacks on FindBin when I can just hardwire my paths and be sure.

        Just FYI, I used to wear a white hat but I've been out of the game for a number of years and my memory is not so great anymore, so I could easily be wrong about everything.

[reply]

In Section Seekers of Perl Wisdom