Discovering a Remote Command Execution Vulnerability in a Perl Web Application

Back in early 2019, I discovered a remote command execution vulnerability in a Perl web application. Yes you read that correctly, 2019 and Perl web application in the same sentence. I'll attempt to reproduce some of the technical details here. 

While assessing the application, I found a pretty blatant LFI vulnerability. The application supported a request for a file parameter that would return an arbitrary file to the requesting browser. The normal behavior was something like the below screenshot.

 

The LFI vulnerability could be exploited as shown below.

 

 

After finding the LFI vulnerability, I searched for more information on Perl vulnerabilities. I came across this blog by Jordan Dimov, which described a command execution vulnerability in the 2 parameter version of Perl's open() function. After learning of the vulnerability in open(), I used the LFI vulnerability to access the perl script on the web application.

 

After assessing the file's contents, I quickly was able to find the open() call made by the script and sure enough, it was vulnerable to command execution.

 

I exploited the vulnerability as shown in the below screenshot by adding a single vertical pipe to the end of a known executable file, such as /usr/bin/id.

 

Long story short: its now 2021, lets stop using Perl CGIs in web applications.

Reference: 

Dimov, Jordan. Security Issues in Perl Scripts, www.cgisecurity.com/lib/sips.html.

XSS in Wing FTP's Web Interface (CVE-2020-27735)

While conducting an external network penetration test for a client, I found an instance of Wing FTP Server running in the client’s external IP space. During the assessment, I discovered a previously unknown Cross-Site Scripting vulnerability in the Wing FTP Server (version 6.4.4) web interface. The details of the vulnerability and disclosure process are described below. 

Note: For the purpose of capturing the proof of concept screenshots in this writeup, I configured a local instance of Wing FTP Server. No screenshots are included from the actual client environment. 

While assessing the Wing FTP Server web application, I found a help page that was accessible without valid credentials. 

Furthermore, I discovered a script on the help page which writes a URL parameter to a frame src attribute, exposing the service to a Cross-Site Scripting vulnerability. 

I created the following proof of concept link to exploit the Cross-Site Scripting vulnerability in Wing FTP Server. 

Visiting the link executed arbitrary JavaScript in the browser as shown below. 

 

I searched for more information about Wing FTP Server and found their website claims over 8000 organizations use Wing FTP Server including the U.S. Air Force, Accenture, Sephora, Reuters and Sony. 

I responsibly disclosed the vulnerability to the Wing FTP Server developers and ensured a patch was issued. 

Responsible Disclosure Timeline: 

• October 26th, 2020 - Vulnerability disclosed to developers
• November 17th, 2020 - Patch issued
• January 20th, 2021 - Blog posted