Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 7 May 2017 17:32:38 -0300
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: Re: [white-paper] Pwning PHP mail() function For Fun
 And RCE (ver 1.0)

Hi Kash,

On Sun, May 7, 2017 at 1:12 PM, Kash Pande <kash@...pleback.net> wrote:
>
> On 03/05/17 04:32 PM, Dawid Golunski wrote:
>>
>> Here's a paper I wrote back in December.  It was originally meant to go
>> into Phrack but the team wanted a more general article on parameter
>> injection
>> as mail() was supposedly an outdated technique.
>> Meanwhile, the RCE-chain continues :) So I decided to post it as it is
>> without
>> changing it as mail() injection deserves a separate article imho.
>>
>> https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
>
>
> This article purposely uses a litany of poor programming practices to expose
> an alleged exploit in PHP mail().. I'd like to see the same exploit, without
> assuming the developer on the software had no idea what they're doing
> (passing non-sanitized variables to functions).

In my article some of the early examples are simplified to demonstrate
the general concept in an easy way.
Try digging a bit deeper and maybe do some research too...
Note the paragraph:
"It presents several new exploitation vectors and bypass techniques
on the PHP mail() function that were discovered and recently released by the
author of this white-paper in the course of finding multiple critical
vulnerabilities in major PHP e-mail sending libraries (PHPMailer, Zend
Framework / Zend-mail, SwiftMailer) that are used by millions of web
applications/projects (e.g Wordpress, Drupal, Joomla etc.)  and PHP
programming frameworks (Zend, Yii2, Symphony, Laravel etc.)"

These are all real-world examples of vulns that I discovered and that
you can read-up on here:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html

These are pretty good examples I think. If creators of major email
sending libraries / email client software have made the mistakes that
have stayed hidden for years,  there is a chance others have made
it/will make it too.

Contrary to what you seem to assume here, mail() function parameters
are quite tricky to use properly.
Note my CVE-2016-10045 exploit which was a bypass of the
CVE-2016-10033 patch applied to phpmailer library.

There is also a whole write-up on the subject/problem by a developer
that emerged after the phpmailer vulnerability I disclosed:

https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36


> As well, you noted in your
> own article that this 'discovery' was first published in 2011 by someone
> else.

Yes, as explained, with only 2 Sendmail techniques (file write with -X
parameter / and file read -C parameter) known back then which are not
really applicable these days as Sendmail is pretty much extinct/not
shipped with any distro by default, and -X required a writable upload
directory / known path etc.

http://www.securityspace.com/s_survey/data/man.201703/mxsurvey.html


>>
>> I reveal some exim code-execution vectors in there that should change
>> the whole game slightly :)
>
>
> Not really, because it still relies on unfiltered input.
>

Yes, you have to have a vulnerability to exploit it ;)
It's like saying 'ret2libc is useless technique because it still
relies on a buffer overflow, format string, X... vulnerability' :)

The exim vector I presented in the article will help a lot in the
exploitation of these kind of vulns as exim is widely used, and the
vector doesn't require you to know file paths, plus it is good for
bypassing filters.

A good example of the exim vector is my recently disclosed Wordpress
RCE expoit (which would likely not be possible if it wasn't for the
exim vector):

https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html


Hope this helps / explains some things better and happy hacking.



Regards,
Dawid Golunski
https://legalhackers.com
https://ExploitBox.io
t: @dawid_golunski

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.