ID CVE-2016-10045
Summary The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033.
References
Vulnerable Configurations
  • cpe:2.3:a:phpmailer_project:phpmailer:5.2.19
    cpe:2.3:a:phpmailer_project:phpmailer:5.2.19
CVSS
Base: 7.5 (as of 26-01-2017 - 12:05)
Impact:
Exploitability:
CWE CWE-77
CAPEC
  • Cause Web Server Misclassification
    An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
  • Argument Injection
    An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
  • Manipulating Writeable Configuration Files
    Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - (AIO) 'PwnScriptum' Remote Code Execution. CVE-2016-10033,CVE-2...
    file exploits/php/webapps/40986.py
    id EDB-ID:40986
    last seen 2017-01-03
    modified 2017-01-02
    platform php
    port
    published 2017-01-02
    reporter Exploit-DB
    source https://www.exploit-db.com/download/40986/
    title PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - (AIO) 'PwnScriptum' Remote Code Execution
    type webapps
  • description PHPMailer < 5.2.20 - Remote Code Execution. CVE-2016-10033,CVE-2016-10045. Webapps exploit for PHP platform
    file exploits/php/webapps/40969.pl
    id EDB-ID:40969
    last seen 2016-12-28
    modified 2016-12-27
    platform php
    port
    published 2016-12-27
    reporter Exploit-DB
    source https://www.exploit-db.com/download/40969/
    title PHPMailer < 5.2.20 - Remote Code Execution
    type webapps
  • description PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution. CVE-2016-10033,CVE-2016-10034,CVE-2016-10045,CVE-2016-10074. Webapps exploit for PHP platform
    file exploits/php/webapps/42221.py
    id EDB-ID:42221
    last seen 2017-06-22
    modified 2017-06-21
    platform php
    port
    published 2017-06-21
    reporter Exploit-DB
    source https://www.exploit-db.com/download/42221/
    title PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
    type webapps
metasploit via4
description PHPMailer versions up to and including 5.2.19 are affected by a vulnerability which can be leveraged by an attacker to write a file with partially controlled contents to an arbitrary location through injection of arguments that are passed to the sendmail binary. This module writes a payload to the web root of the webserver before then executing it with an HTTP request. The user running PHPMailer must have write access to the specified WEB_ROOT directory and successful exploitation can take a few minutes.
id MSF:EXPLOIT/MULTI/HTTP/PHPMAILER_ARG_INJECTION
last seen 2019-03-27
modified 2018-10-28
published 2016-12-29
reliability Manual
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phpmailer_arg_injection.rb
title PHPMailer Sendmail Argument Injection
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-C3DC97E1E1.NASL
    description **Version 5.2.22** (January 5th 2017) - **SECURITY** Fix [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detai l?vulnId=CVE-2017-5223), local file disclosure vulnerability if content passed to `msgHTML()` is sourced from unfiltered user input. Reported by Yongxiang Li of Asiasecurity. The fix for this means that calls to `msgHTML()` without a `$basedir` will not import images with relative URLs, and relative URLs containing `..` will be ignored. - Add simple contact form example - Emoji in test content ---- **Version 5.2.21** (December 28th 2016) - Fix missed number update in version file - no functional changes ---- **Version 5.2.20** (December 28th 2016) - **SECURITY** Critical security update for CVE-2016-10045 please update now! Thanks to [Dawid Golunski](https://legalhackers.com) and Paul Buonopane (Zenexer). ---- ** Version 5.2.19** (December 26th 2016) - Minor cleanup ** Version 5.2.18** (December 24th 2016) - **SECURITY** Critical security update for CVE-2016-10033 please update now! Thanks to [Dawid Golunski](https://legalhackers.com). - Add ability to extract the SMTP transaction ID from some common SMTP success messages - Minor documentation tweaks ** Version 5.2.17** (December 9th 2016) - This is officially the last feature release of 5.2. Security fixes only from now on; use PHPMailer 6.0! - Allow DKIM private key to be provided as a string - Provide mechanism to allow overriding of boundary and message ID creation - Improve Brazilian Portuguese, Spanish, Swedish, Romanian, and German translations - PHP 7.1 support for Travis-CI - Fix some language codes - Add security notices - Improve DKIM compatibility in older PHP versions - Improve trapping and capture of SMTP connection errors - Improve passthrough of error levels for debug output - PHPDoc cleanup Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 96574
    published 2017-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96574
    title Fedora 24 : php-PHPMailer (2017-c3dc97e1e1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3C4693DECCF711E6A9A5B499BAEBFEAF.NASL
    description Legal Hackers reports : An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. To exploit the vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails with the help of a vulnerable version of the PHPMailer class. The first patch of the vulnerability CVE-2016-10033 was incomplete. This advisory demonstrates the bypass of the patch. The bypass allows to carry out Remote Code Execution on all current versions (including 5.2.19).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96172
    published 2016-12-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96172
    title FreeBSD : phpmailer -- Remote Code Execution (3c4693de-ccf7-11e6-a9a5-b499baebfeaf)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL73926196.NASL
    description The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-10033. (CVE-2016-10045)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 100280
    published 2017-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100280
    title F5 Networks BIG-IP : PHPMailer vulnerability (K73926196)
  • NASL family CGI abuses
    NASL id WORDPRESS_4_7_1.NASL
    description According to its self-reported version number, the WordPress application running on the remote web server is 4.7.x prior to 4.7.1. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the PHPMailer component in the class.phpmailer.php script due to improper handling of sender email addresses. An unauthenticated, remote attacker can exploit this to pass extra arguments to the sendmail binary, potentially allowing the attacker to execute arbitrary code. (CVE-2016-10033, CVE-2016-10045) - An information disclosure vulnerability exists in the REST API implementation due to a failure to properly restrict listings of post authors. An unauthenticated, remote attacker can exploit this, via a wp-json/wp/v2/users request, to disclose sensitive information. (CVE-2017-5487) - Multiple cross-site scripting (XSS) vulnerabilities exist in the update-core.php script due to improper validation of input to the plugin name or version header. An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-5488) - A cross-site request forgery (XSRF) vulnerability exists due to improper handling of uploaded Flash files. An unauthenticated, remote attacker can exploit this, via a specially crafted Flash file, to hijack the authentication of users. (CVE-2017-5489) - A cross-site scripting (XSS) vulnerability exists in the class-wp-theme.php script due to improper validation of input when handling theme name fallback. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-5490) - A security bypass vulnerability exists in the wp-mail.php script due to improper validation of mail server names. An unauthenticated, remote attacker can exploit this, via a spoofed mail server with the 'mail.example.com' name, to bypass intended security restrictions. (CVE-2017-5491) - A cross-site request forgery (XSRF) vulnerability exists in the widget-editing accessibility-mode feature due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions for HTTP requests. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted URL, to hijack the authentication of users or cause them to edit widgets. (CVE-2017-5492) - A security bypass vulnerability exists in the ms-functions.php script due to the use of weak cryptographic security for multisite activation keys. An unauthenticated, remote attacker can exploit this, via a specially crafted site sign-up or user sign-up, to bypass intended access restrictions. (CVE-2017-5493) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 96606
    published 2017-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96606
    title WordPress 4.7.x < 4.7.1 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F72D98D10B7E11E7970F002590263BF5.NASL
    description Marina Glancy reports : - MSA-17-0001: System file inclusion when adding own preset file in Boost theme - MSA-17-0002: Incorrect sanitation of attributes in forums - MSA-17-0003: PHPMailer vulnerability in no-reply address - MSA-17-0004: XSS in assignment submission page .
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97812
    published 2017-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97812
    title FreeBSD : moodle -- multiple vulnerabilities (f72d98d1-0b7e-11e7-970f-002590263bf5)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-6941D25875.NASL
    description **Version 5.2.21** (December 28th 2016) - Fix missed number update in version file - no functional changes ---- **Version 5.2.20** (December 28th 2016) - **SECURITY** Critical security update for CVE-2016-10045 please update now! Thanks to [Dawid Golunski](https://legalhackers.com) and Paul Buonopane (Zenexer). ---- ** Version 5.2.19** (December 26th 2016) - Minor cleanup ** Version 5.2.18** (December 24th 2016) - **SECURITY** Critical security update for CVE-2016-10033 please update now! Thanks to [Dawid Golunski](https://legalhackers.com). - Add ability to extract the SMTP transaction ID from some common SMTP success messages - Minor documentation tweaks ** Version 5.2.17** (December 9th 2016) - This is officially the last feature release of 5.2. Security fixes only from now on; use PHPMailer 6.0! - Allow DKIM private key to be provided as a string - Provide mechanism to allow overriding of boundary and message ID creation - Improve Brazilian Portuguese, Spanish, Swedish, Romanian, and German translations - PHP 7.1 support for Travis-CI - Fix some language codes - Add security notices - Improve DKIM compatibility in older PHP versions - Improve trapping and capture of SMTP connection errors - Improve passthrough of error levels for debug output - PHPDoc cleanup Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 96319
    published 2017-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96319
    title Fedora 25 : php-PHPMailer (2016-6941d25875)
packetstorm via4
refmap via4
bid 95130
bugtraq 20161228 PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)
confirm
exploit-db
  • 40969
  • 40986
  • 42221
fulldisc 20161227 PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)
misc
mlist [oss-security] 20161228 Re: PHPMailer < 5.2.18 Remote Code Execution [updated advisory] [CVE-2016-10033]
sectrack 1037533
the hacker news via4
id THN:BD003AAB715C2448BF92B78197DE160C
last seen 2018-01-27
modified 2017-01-05
published 2017-01-02
reporter Swati Khandelwal
source https://thehackernews.com/2017/01/phpmailer-swiftmailer-zendmail.html
title Critical Updates — RCE Flaws Found in SwiftMailer, PhpMailer and ZendMail
Last major update 25-01-2017 - 21:59
Published 30-12-2016 - 14:59
Last modified 09-10-2018 - 15:59
Back to Top