oss-sec mailing list archives
Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0)
From: Dawid Golunski <dawid () legalhackers com>
Date: Sun, 7 May 2017 17:32:38 -0300
Hi Kash, On Sun, May 7, 2017 at 1:12 PM, Kash Pande <kash () tripleback net> wrote:
On 03/05/17 04:32 PM, Dawid Golunski wrote:Here's a paper I wrote back in December. It was originally meant to go into Phrack but the team wanted a more general article on parameter injection as mail() was supposedly an outdated technique. Meanwhile, the RCE-chain continues :) So I decided to post it as it is without changing it as mail() injection deserves a separate article imho. https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.htmlThis article purposely uses a litany of poor programming practices to expose an alleged exploit in PHP mail().. I'd like to see the same exploit, without assuming the developer on the software had no idea what they're doing (passing non-sanitized variables to functions).
In my article some of the early examples are simplified to demonstrate the general concept in an easy way. Try digging a bit deeper and maybe do some research too... Note the paragraph: "It presents several new exploitation vectors and bypass techniques on the PHP mail() function that were discovered and recently released by the author of this white-paper in the course of finding multiple critical vulnerabilities in major PHP e-mail sending libraries (PHPMailer, Zend Framework / Zend-mail, SwiftMailer) that are used by millions of web applications/projects (e.g Wordpress, Drupal, Joomla etc.) and PHP programming frameworks (Zend, Yii2, Symphony, Laravel etc.)" These are all real-world examples of vulns that I discovered and that you can read-up on here: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html These are pretty good examples I think. If creators of major email sending libraries / email client software have made the mistakes that have stayed hidden for years, there is a chance others have made it/will make it too. Contrary to what you seem to assume here, mail() function parameters are quite tricky to use properly. Note my CVE-2016-10045 exploit which was a bypass of the CVE-2016-10033 patch applied to phpmailer library. There is also a whole write-up on the subject/problem by a developer that emerged after the phpmailer vulnerability I disclosed: https://gist.github.com/Zenexer/40d02da5e07f151adeaeeaa11af9ab36
As well, you noted in your own article that this 'discovery' was first published in 2011 by someone else.
Yes, as explained, with only 2 Sendmail techniques (file write with -X parameter / and file read -C parameter) known back then which are not really applicable these days as Sendmail is pretty much extinct/not shipped with any distro by default, and -X required a writable upload directory / known path etc. http://www.securityspace.com/s_survey/data/man.201703/mxsurvey.html
I reveal some exim code-execution vectors in there that should change the whole game slightly :)Not really, because it still relies on unfiltered input.
Yes, you have to have a vulnerability to exploit it ;) It's like saying 'ret2libc is useless technique because it still relies on a buffer overflow, format string, X... vulnerability' :) The exim vector I presented in the article will help a lot in the exploitation of these kind of vulns as exim is widely used, and the vector doesn't require you to know file paths, plus it is good for bypassing filters. A good example of the exim vector is my recently disclosed Wordpress RCE expoit (which would likely not be possible if it wasn't for the exim vector): https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html Hope this helps / explains some things better and happy hacking. Regards, Dawid Golunski https://legalhackers.com https://ExploitBox.io t: @dawid_golunski
Current thread:
- [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Sam Pizzey (May 03)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Kash Pande (May 07)
- Re: [white-paper] Pwning PHP mail() function For Fun And RCE (ver 1.0) Dawid Golunski (May 07)