Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Dec 2016 12:02:43 +0100
From: Florian Pritz <bluewind@...u.at>
To: oss-security@...ts.openwall.com
Subject: Re: PHPMailer < 5.2.18 Remote Code Execution
 [CVE-2016-10033]

On 27.12.2016 01:10, Tracy Reed wrote:
> Particularly since this is command
> injection which is precisely what SELinux is good at limiting (as
> opposed to SQL injection).

This is not strictly command injection. It is more similar to an
unrestricted file upload vulnerability. The problem is that you can use
the sendmail -X option to write a log file of the SMTP dialog (with an
arbitrary path) that then contains e.g. php code which you can execute
via a second request. php itself actually prevents you from peforming
command injection because according to the documentation of the mail()
function, the arguments are wrapped in escape_shellcmd() internally. It
just doesn't prevent you from passing arbitrary arguments.

The attack is described here:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Also note that postfix' sendmail implementation does not support the -X
option. Additionally I believe there are no other options in postfix'
sendmail that are vulnerable to this issue, but feel free to verify this.

Florian



Download attachment "signature.asc" of type "application/pgp-signature" (859 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ