Discovering a Remote Command Execution Vulnerability in a Perl Web Application

Back in early 2019, I discovered a remote command execution vulnerability in a Perl web application. Yes you read that correctly, 2019 and Perl web application in the same sentence. I'll attempt to reproduce some of the technical details here. 

While assessing the application, I found a pretty blatant LFI vulnerability. The application supported a request for a file parameter that would return an arbitrary file to the requesting browser. The normal behavior was something like the below screenshot.

 

The LFI vulnerability could be exploited as shown below.

 

 

After finding the LFI vulnerability, I searched for more information on Perl vulnerabilities. I came across this blog by Jordan Dimov, which described a command execution vulnerability in the 2 parameter version of Perl's open() function. After learning of the vulnerability in open(), I used the LFI vulnerability to access the perl script on the web application.

 

After assessing the file's contents, I quickly was able to find the open() call made by the script and sure enough, it was vulnerable to command execution.

 

I exploited the vulnerability as shown in the below screenshot by adding a single vertical pipe to the end of a known executable file, such as /usr/bin/id.

 

Long story short: its now 2021, lets stop using Perl CGIs in web applications.

Reference: 

Dimov, Jordan. Security Issues in Perl Scripts, www.cgisecurity.com/lib/sips.html.