Re: Passing (poison) nulls in cookies

From: Max Vision (visionat_private)
Date: Mon May 14 2001 - 13:27:45 PDT

Next message: Max Vision: "WinXP calls back to Microsoft"

Previous message: Nathan Catlow: "Re: ATM PVC as security barrier"
Next in thread: Pavel Kankovsky: "Re: Passing (poison) nulls in cookies"
Reply: Pavel Kankovsky: "Re: Passing (poison) nulls in cookies"
Reply: Chuck D. Phillips: "Re: Passing (poison) nulls in cookies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since no one answered this I thought I'd share what I know about it.  It 
looks like the show-stopper is indeed with environment variables.  You can 
send nulls in cookies and it doesn't appear that apache does anything to 
filter them.  However perl uses a bash-type shell by default, which to the 
best of my understanding will always truncate an environment variable on a 
null.

Here was what I saw:

  bash,zsh: truncates at the null, "hi\x00there" becomes "hi"
  csh,tcsh: converts null to space, "hi\x00there" becomes "hi there"
  ash,ksh: removes the null, "hi\x00there" becomes "hithere"

You can see why each shell does this by following the source. I think that 
most server-side cgi languages are going to run under the bash environment 
by default.  I that perl does, and since you are probably targeting perl 
(poison null byte attack), then I guess the question is answered "nope, you 
can't do that".

   bash and zsh truncate at the null:

     bash
     [root@local /bin]# export foo=`perl -e 'print "hi\x00there!\n";'`
     [root@local /bin]# echo $foo|cat -vet
     hi$

     zsh
     local# setenv foo `perl -e 'print "hi\x00there!\n";'`
     local# echo $foo|cat -vet
     hi$

   ash and ksh remove it:

     ash
     # export foo=`perl -e 'print "hi\x00there!\n";'`
     # echo $foo|cat -vet
     hithere!$

     ksh
     # export foo=`perl -e 'print "hi\x00there!\n";'`
     # echo $foo|cat -vet
     hithere!$

   csh/tcsh seem to convert it to a space:

     tcsh
     [local /bin]# setenv foo `perl -e 'print "hi\x00there!\n";'`
     [local /bin]# echo $foo|cat -vet
     hi there!$

Max Vision
http://whitehats.com/
http://maxvision.net/

At 12:06 PM 4/27/2001 -0600, Franklin DeMatto wrote:
>Is there a way of passing (poison) nulls to cgi's in cookies???
>That is, is there a way of getting cookies to contain a null???
>
>It seems like apache will pass nulls in header lines fine, but being
>that the cgi spec passes headers as env variables, the null will lop them
>off.
>
>Does anyone know of a solution, or a work around?
>
>
>(The code I'm testing is something like:
>         unlink "$cookie_name.user";
>where $cookie_name is plucked from a cookie, and I'm
>testing to see if the .user is tough enough)
>
>Or maybe there is something else that can chop off the '.user' suffix?
>
>Franklin DeMatto
>franklinat_private
>qDefense - DEFENDING THE ELECTRONIC FRONTIER

Next message: Max Vision: "WinXP calls back to Microsoft"
Previous message: Nathan Catlow: "Re: ATM PVC as security barrier"
Next in thread: Pavel Kankovsky: "Re: Passing (poison) nulls in cookies"
Reply: Pavel Kankovsky: "Re: Passing (poison) nulls in cookies"
Reply: Chuck D. Phillips: "Re: Passing (poison) nulls in cookies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 14 2001 - 21:53:57 PDT