CVE-2016-10033: the PHPMailer remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

PHP is an open source scripting language that is used to embed the HTML to do Web development. It has 9 million users, and is the many popular tools such as WordPress, Drupal, Joomla! Etc. This Monday a high-risk security update to solve the PHPMailer remote code execution vulnerability CVE-2016-10033。 It is a PHP site send mail to a library.
This fatal vulnerability is by class. phpmailer. php does not correctly handle user requests. The results of remote attacker can be in have a weakness on a server remote code execution.
This vulnerability affects 5. 2. 18 version of PHPMailer is.
0x01 analysis
When the PHPMailer sends a mail, the normal process is:
1. PHPMailer get the user request
2. PHPMailer check user-submitted data
3. PHPMailer to pass data to PHP mail()function to send mail.
In this validation step, PHPMailer verify the user data code is as follows:
! [](/Article/UploadPic/2017-1/2017110172530572. png? www. myhack58. com)
This verification using standard verification methods, such as the PHP built-in FILTER_VALIDATE_EMAIL and html5 the default mail type of pattern matching.
! [](/Article/UploadPic/2017-1/2017110172530273. png? www. myhack58. com)
In this example$address. value“attacker-InjectedParam @example.com”will be rejected. However, these methods follow RFC3696 Protocol, meaning that e-mail address can contain quoted spaces, so$address “attacker-InjectedParam”@example. com will bypass the filter.
The check is completed, PHPMailer will pass the message to the recipient address, subject, body, header and sender address for the PHP mail()function and then send the message. The code is as follows.
! [](/Article/UploadPic/2017-1/2017110172530695. png? www. myhack58. com)
The problem here, PHPMailer cannot transfer them into mail()before the correct these messages data. It just returns:
! [](/Article/UploadPic/2017-1/2017110172530826. png? www. myhack58. com)
And then pass$result to the mail()function. This problem led to the attack.
For example, when using the plane address sent:
! [](/Article/UploadPic/2017-1/2017110172530603. png? www. myhack58. com)
mail()function with 4 parameters to execute/usr/bin/sendmail, with“/usr/bin/sendmail”, “-t”, “-i” and “[email protected]” it.
However, the attacker can be injected through the injection a“"”. For example, use the following address:
! [](/Article/UploadPic/2017-1/2017110172531285. png? www. myhack58. com)
This e-mail address that sent the message the function will perform a 6 parameter,“/usr/bin/sendmail”, “-t”, “-i”, “-fattacker”, “-InjectedParam1” and “-InjectedParam2"@example.com” it.
0x02 how to reproduce
In order to reproduce the attack, I built a Web server as follows:
! [](/Article/UploadPic/2017-1/2017110172531469. png? www. myhack58. com)
The source code is as follows:
! [](/Article/UploadPic/2017-1/2017110172531256. png? www. myhack58. com)
This form is similar to the website feedback function. An attacker can use a malicious e-mail address to send mail:
! [](/Article/UploadPic/2017-1/2017110172531465. png? www. myhack58. com)
The PHP code is filled into the Name and Message as follows:
! [](/Article/UploadPic/2017-1/2017110172531179. png? www. myhack58. com)
! [](/Article/UploadPic/2017-1/2017110172531802. png? www. myhack58. com)
Before sending the message, the web Services root directory of the file as shown below. This index. php is the web page code is“vulnerable”contains the PHPMailer file.
! [](/Article/UploadPic/2017-1/2017110172531285. png? www. myhack58. com)
The Payload is sent as shown below:
! [](/Article/UploadPic/2017-1/2017110172531409. png? www. myhack58. com)
In the Send attack mail, a new file“test.php”is created. It contains messages sent to the original data, and contain our PHP code segment:
! [](/Article/UploadPic/2017-1/2017110172531739. png? www. myhack58. com)
! [](/Article/UploadPic/2017-1/2017110172531169. png? www. myhack58. com)

[1] [2] next