Re: PGPMail.pl possible remote command execution

["Joseph S. Testa II" <jst3290 () ritvax isc rit edu>]

John Scimone wrote:

> PGPMail.pl (http://www.venturablvd.com/pgpmail/) is a modified version of 
> Matt Wright's FormMail.pl meant to support PGP form mail.
> I was recently looking at the code and noticed 2 questionable open() calls 
> that appear to be exploitable:
>
> open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open 
> $mailprog!\n";
>
> and...
>
> $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > 
> $pgptmp");
>
> recipient and pgpuserid are both kept in hidden fields supplied by the client
> wouldn't it be possible to just throw in a ; /bin/whatever to execute 
> commands with the priveledges of the webserver?
>
> the only parsing done on the input is in these lines:
>
>      $value =~ tr/+/ /;
>      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>
>      # If they try to include server side includes, erase them, so they
>      # arent a security risk if the html gets returned.  Another
>      # security hole plugged up.
>
>      $value =~ s/<!--(.|\n)*-->//g;
>      $value =~ s/~!/ ~!/g; #maybe superfluos
>
> I don't understand perl that wellso i'll leave this up to the reader to 
> decide whether this can be exploited successfully but your thoughts are 
> appreciated.
>
> The last update to this script was done at the beginning of 2000 and it isn't 
> too active on the web, however there are some sites running it and this 
> should be looked at if it is exploitable.
>
> John Scimone
> CS Major @ Ga Tech
Hi John --

  Yes, it is exploitable.  I wrote an advisory for this already, but I 
didn't release it yet because I'm on vacation.  =]
  I informed the author three weeks ago, but I still didn't get a reply.

  - Joe Testa