Hacking

Critical RCE vulnerabilities affect SwiftMailer, PhpMailer and ZendMail

The security expert Dawid Golunski from Legal Hackers has reported critical RCE flaws in the popular PHP libraries SwiftMailer, PhpMailer and ZendMail.

The indomitable Golunski managed to hack also this last patched version of PHPMailer and he discovered a vulnerability tracked as CVE-2016-10045.

“The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).” states the security advisory.

“The patch for CVE-2016-10033 vulnerability added in PHPMailer 5.2.17 sanitizes the $Sender variable by applying escapeshellarg() escaping before the value is passed to mail() function.

It does not however take into account the clashing of the escapeshellarg() function with internal escaping with escapeshellcmd() performed by mail() function on the 5th parameter.

As a result it is possible to inject an extra quote that does not get properly escaped and break out of the escapeshellarg() protection applied by the patch in PHPMailer 5.2.17.”

Once again millions of websites and web apps are open to cyber attacks. Web services running on WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, are potentially exposed to remote code execution attacks.

PHPMailer issued a new update PHPMailer version 5.2.20, so check that your version is the last one.

The bad news for website administrators is that similar issues were discovered in other two PHP libraries, SwiftMailer, and ZendMail. Both libraries are affected by remote code execution vulnerabilities.

SwiftMailer is a popular PHP library widely adopted in open-source projects, including programming frameworks like Yii2, Laravel, Symfony that allow sending emails over SMTP.

The flaw in the SwiftMailer, tracked as CVE-2016-10074, can be exploited by an attacker to compromise web site components that leverage on the library to send the email. Contact/registration forms, password email reset forms, and any other component of a website that uses the SwiftMailer class is potentially affected.

A remote attacker can trigger the flaw to execute arbitrary code in the context of the web server and gain control over the server.

The SwiftMailer flaw affects all versions of the library including the last one.

Golunski reported the vulnerability to the SwiftMailer development team who promptly issued the patched version 5.4.5.

“The mail transport (Swift_Transport_MailTransport) was vulnerable to passing arbitrary shell arguments if the “From,” “ReturnPath” or “Sender” header came from a non-trusted source, potentially allowing Remote Code Execution,” reads the changelog for the patched version of SwiftMailer.

As anticipated also the ZendMail is affected by a similar vulnerability tracked as CVE-2016-10034. ZendMail framework is widely adopted, it accounts for more than 95 Million installations.

The flaw in ZendMail can also be exploited to target web site components that use the ZendMail framework, such as contact/registration forms and password email reset forms.

Also in this case, the exploitation of the flaw could allow remote attackers to executed code in the context of the web server and compromise the target web application.

Golunski reported the issue to ZendMail who issued a patched version.

“When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program,” ZendMail wrote in a blog post.

“The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability. 

The following example demonstrates injecting additional parameters to the sendmail binary via the From address:”

Golunski has released a proof-of-concept video demonstration that will show all the three attacks in action.

Golunski promised a white-paper on the issues he has discovered, meantime he published the website PwnScriptum that recap all the info on the vulnerabilities he discovered.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Critical RCE, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

2 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

9 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

20 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.