This presentation is from a previous talk of mine at Null Mumbai. It explains PHP Mailer Remote Code Execution with regards to CVE-2016-10033 and a bypass to the initial patch i.e. CVE-2016-10045.
2. PHP MAILER
• Most Popular Code For Sending Email
From PHP!
• Used By Many Open-source Projects:
Wordpress, Drupal, 1crm, Sugar CRM,
Joomla! And Many More
• Cve-2016-10033
• Affected Versions : < 5.2.18
• Exploit Variants Available In Bash, PHP &
Python
3. Where To Look?
• To Exploit The Vulnerability An Attacker Could Target Common Website Components
Such As:
• Contact/Feedback Forms,
• Registration Forms,
• Password Email Resets
• And Others That Send Out Emails With The Help Of A Vulnerable Version Of ‘Phpmailer’
Class…
4. VULNERABLE CODE
protected function mailsend($header, $body)
{
$toarr = array();
foreach ($this->to as $toaddr) {
$toarr[] = $this->addrformat($toaddr);
}
$to = implode(', ', $toarr);
$params = null;
//this sets the smtp envelope sender which gets turned into a
return-path header by the receiver
if (!empty($this->sender)) {
$params = sprintf('-f%s', $this->sender);
}
if ($this->sender != '' and !ini_get('safe_mode')) {
$old_from = ini_get('sendmail_from');
ini_set('sendmail_from', $this->sender); }
$result = false;
if ($this->singleto and count($toarr) > 1) {
foreach ($toarr as $toaddr) {
$result = $this->mailpassthru($toaddr, $this-
>subject, $body, $header, $params);
5. What’s Next
• $Params = Sprintf('-f%s', $This->sender);
//Function.Mail.Php
• Public Function Setfrom($address, $Name = '', $Auto = True) //
Sender Address Verification
• RFC 3696 Specification: Allows Email To Contain Spaces
“Attacker Crafted Command As Email”@fakeemail.Com
$result = $this->mailpassthru($toaddr, $this-
>subject, $body, $header, $params);
10. CVE-2016-10045
PATCH
Sanitize $Sender > Apply
Escapeshellarg() :
Escaping Before The Value Is Passed
To Mail()
escapeshellarg() escapeshellcmd()
https://legalhackers.com/advisories/PHPMailer-
Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-
Patch-Bypass.html