Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 28 Dec 2016 17:58:28 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Marcus Bointon <marcus@...chromedia.co.uk>
Subject: Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

On Wed, Dec 28, 2016 at 03:03:39AM -0200, Dawid Golunski wrote:
> PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
> (CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Marcus has just released 5.2.21 with a fix for CVE-2016-10045.  The fix
stops using escapeshellarg()'s result, and instead sanity-checks the
string's characters:

+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@...', $c) === false) {
+                return false;

I think the use current locale is weird (an explicit check for
[a-zA-Z0-9] would have been more appropriate), but overall hopefully
this is a working fix now.

I suggest also sanity-checking the string length, for good measure.
Maybe in another update.

> This was reported responsibly to the vendor & assigned a CVEID on the
> 26th of December.
> The vendor has been working on a new patch which would fix the problem but
> not break the RFC too badly. The patch should be published very soon.
> 
> I'm releasing this as a 0day without the new patch available publicly
> as a potential bypass was publicly discussed on oss-sec with Solar
> Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
> further would serve no purpose.

Yeah.  I did think for a moment before posting in here yesterday, but
for a number of reasons chose to go ahead with the public discussion.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.