RCE Exploit (CVE 2016-10033-10045 PHPMailer) Part 1-3 (1 Viewer)

Joined
May 11, 2016
Credits
0
Rating - 0%
Hello friends today I come to publish my first tutorial.
Today we are going to talk about the new vulnerability in PHPMailer that affects millions of websites.


I. VULNERABILITY
-------------------------

PHPMailer < 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)


II. BACKGROUND
-------------------------

"PHPMailer continues to be the world's most popular transport class, with an
estimated 9 million users worldwide. Downloads continue at a significant
pace daily."

http://phpmailer.worxware.com/


"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"

https://github.com/PHPMailer/PHPMailer


III. INTRODUCTION
-------------------------

An independent research uncovered a critical vulnerability in PHPMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.

The first patch of the vulnerability CVE-2016-10033 was incomplete.
This advisory demonstrates the bypass of the patch.
The bypass allows to carry out Remote Code Execution on all current
versions (including 5.2.19).

NOTE:
The vulnerability / patch bypass was responsibly reported to the vendor
in private on December 26th and a new CVE was issued by MITRE on the same day.
However a potential bypass was publicly discussed on the oss-sec list.
Holding the advisory further would serve no purpose which is what triggered
the earlier release of this advisory.


IV. DESCRIPTION
-------------------------


The patch for CVE-2016-10033 vulnerability added in PHPMailer 5.2.17
sanitizes the $Sender variable by applying escapeshellarg() escaping
before the value is passed to mail() function.

It does not however take into account the clashing of the
escapeshellarg() function with internal escaping with escapeshellcmd()
performed by mail() function on the 5th parameter.

As a result it is possible to inject an extra quote that does not get
properly escaped and break out of the escapeshellarg() protection
applied by the patch in PHPMailer 5.2.17.

For example:

$mail->SetFrom("\"Attacker\\' -Param2 -Param3\"@test.com", 'Client Name');

will result in the followig list of arguments passed to sendmail program:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-f\"Attacker\\\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com']


An attacker could pass the -X parameter of sendmail to write out a
log file with arbitrary PHP code.

This makes the current latest 5.2.19 and 5.2.18 versions of PHPMailer
vulnerable to Remote Code Execution despite the patch.


A working PoC is presented below.
 

Users who are viewing this thread

Top