macOS Perl Applications Injection
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
PERL5OPT & PERL5LIB env variableUsing the env variable PERL5OPT it's possible to make perl execute arbitrary commands. For example, create this script:
Now export the env variable and execute the perl script:
Another option is to create a Perl module (e.g. /tmp/pmod.pm):
And then use the env variables:
It's possible to list the dependencies folder order of Perl running:
Which will return something like:
Some of the returned folders doesn't even exist, however, /Library/Perl/5.30 does exist, it's not protected by SIP and it's before the folders protected by SIP. Therefore, someone could abuse that folder to add script dependencies in there so a high privilege Perl script will load it.
However, note that you need to be root to write in that folder and nowadays you will get this TCC prompt:
For example, if a script is importing use File::Basename; it would be possible to create /Library/Perl/5.30/File/Basename.pm to make it execute arbitrary code.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
