01793 210045

PHPMailer 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)

PHPMailer 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)

PHPMailer 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)

Portal Home > Blog > PHPMailer 5.2.20 Remote Code Execution (0day Patch Bypass/exploit)

Issue:

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class.

The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19). NOTE: The vulnerability / patch bypass was responsibly reported to the vendor in private on December 26th and a new CVE was issued by MITRE on the same day. However a potential bypass was publicly discussed on the oss-sec list. Holding the advisory further would serve no purpose which is what triggered the earlier release of this advisory.

The patch for CVE-2016-10033 vulnerability added in PHPMailer 5.2.17 sanitizes the $Sender variable by applying escapeshellarg() escaping before the value is passed to mail() function. It does not however take into account the clashing of the escapeshellarg() function with internal escaping with escapeshellcmd() performed by mail() function on the 5th parameter. As a result it is possible to inject an extra quote that does not get properly escaped and break out of the escapeshellarg() protection applied by the patch in PHPMailer 5.2.17.

Impact:

A successful exploitation could let remote attackers to gain access to the target server in the context of the web server account which could lead to a full compromise of the web application.

Systems Affected:

All current versions of (PHPMailer <5.2.20) are affected. Note that exploitation is not limited to systems with Sendmail MTA.

Solution:

No official solution is available at the moment.

NOTE: The vulnerability / patch bypass was responsibly reported to the vendor in private on December 26th and a new CVE was issued by MITRE on the same day. However a potential bypass was publicly discussed on the oss-sec list. Holding the advisory further would serve no purpose which is what triggered the earlier release of this advisory. The vendor has been working on a new patch since the private disclosure on 26th December which should be published shortly.

 

Source: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

 

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *