Zeta Components Mail Package Arbitrary Command Execution

vendor:

Mail

by:

Kay

8.1

CVSS

HIGH

Arbitrary Command Execution

CWE

Product Name: Mail

Affected Version From: <= 1.8.1

Affected Version To:

Patch Exists: YES

Related CWE: CVE-2017-15806

CPE: a:zeta_components:mail:1.8.1

Metasploit:

Other Scripts:

Platforms Tested:

2017

Zeta Components Mail Package Arbitrary Command Execution

It is possible to execute arbitrary shell commands on the remote server by exploiting a vulnerability in the Mail package for Zeta Components. The vulnerability exists in the send method of the ezcMailMtaTransport class. By injecting a payload in the mail body and assigning a specific email address, an attacker can pass extra parameters to the sendmail function, allowing the execution of arbitrary commands.

Mitigation:

Update to a version of Zeta Components Mail package that is higher than 1.8.1. Alternatively, ensure that the 'sendmail' binary does not allow the -X flag to be set.

Source

Exploit-DB raw data:

Vendor: Zeta Components

module: Mail, <= 1.8.1

Published: November 12nd, 2017

Reported by: Kay

CVE-2017-15806

Overview

Zeta Components are a high quality, general purpose library of loosly coupled components for development of applications based on PHP 5. An issue was discovered in the Mail package for Zeta Components. It’s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.

Detail

This vulnerability is on send method in ezcMailMtaTransport class.

In /src/transports/mta/mta_transport.php at line 73, send() method use PHP mail() method to deliver email, while PHP use sendmail as default MTA. When mail() method is called, the 5th parameter is $additionalParameters , this parameter can pass extra param to sendmail. As the code shown, it is assigned by this line:

$additionalParameters = "-f{$mail->returnPath->email}”;

If attacker assign email address like:

'kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php'

and inject payload in mail body, sendmail will transfer log(-X) into /var/www/html/cache/exploit.php. The resulting file will contain the payload passed in the body of the email, that can then be accessed and run through domainname/cache/exploit.php.

To summary, it is possible if all of these conditions are true:

- you use the ezcMailMtaTransport
- your “sendmail” binary allows the -X flag to be set, which is not the case for exim4 and postfix, as they don’t support that argument
- your wwwroot is writable by the user your webserver is running at the input to use for the ezcMailAddress that is assigned to the returnPath property is not properly escaped

PoC

 use Mail\mail;

 $mail = new ezcMail();
 $mail->returnPath = new ezcMailAddress('kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php');
 $mail->addTo( new ezcMailAddress('some one'));
 $mail->subject = "Mail PoC Exploit";
 $mail->body = new ezcMailText("<?php phpinfo(); ?>");
 $transport = new ezcMailMtaTransport();
 $transport->send($mail);

Remediation

Upgrade Mail to 1.8.2