SecuriTeam - Vulnerabilities in PGPMail.pl Lead to Remote Code Execution

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

PGPMail.pl is a PERL script that extends Matt Wright's FormMail v1.5 to encrypt HTML form data using PGP. Two vulnerabilities exist that allow a remote attacker to execute arbitrary commands on the web server it is installed on.

Credit:
The information has been provided by Joe Testa, Markus Bertheau, and John Scimone.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
PGPMail.pl version 1.31

The script passes user-supplied data directly to a shell:

line 373:
    open (MAIL, "|$mailprog $CONFIG{'recipient'}") ||
        die "Can't open $mailprog!\n";

line 383:
    $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0
        \"$CONFIG{'pgpuserid'}\" > $pgptmp");

Either the hash table, 'CONFIG', is built from the QUERY_STRING or the standard input, depending on the method the input data was submitted to the script. None of the input is filtered. It should be noted that although the script checks the HTTP_REFERER field against a list of acceptable sources, these vulnerabilities are still exploitable by trivially forging a valid referrer.

Solution:
Apply the following patch:

< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n";
< print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
- ---
> # Don't pass the recipient to the $mailprog on the command line.
> # Instead, use the '-t' feature. Fixed by Joe Testa
> # (joetesta@hushmail.com).
> open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
375a378
> print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
383c386,392
< $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");
- ---
> # The PGP user id must be passed via command line, so make sure
> # that only legal characters are present. Fixed by Joe Testa
> # (joetesta@hushmail.com).
> $theUserID = $CONFIG{'pgpuserid'};
> $theUserID =~ /([a-zA-Z0-9]+)/;
> $theUserID = $1;
> $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$theUserID\" >$pgptmp");

Vendor status:
The script's author, William Malin, was contacted on Friday, November 9, 2001. No reply was received.

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability