Re: PHPMailer < 5.2.18 Remote Code Execution [CVE-2016-10033]

[Florian Pritz <bluewind () xinu at>]

On 27.12.2016 01:10, Tracy Reed wrote:
> Particularly since this is command
> injection which is precisely what SELinux is good at limiting (as
> opposed to SQL injection).

This is not strictly command injection. It is more similar to an
unrestricted file upload vulnerability. The problem is that you can use
the sendmail -X option to write a log file of the SMTP dialog (with an
arbitrary path) that then contains e.g. php code which you can execute
via a second request. php itself actually prevents you from peforming
command injection because according to the documentation of the mail()
function, the arguments are wrapped in escape_shellcmd() internally. It
just doesn't prevent you from passing arbitrary arguments.

The attack is described here:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Also note that postfix' sendmail implementation does not support the -X
option. Additionally I believe there are no other options in postfix'
sendmail that are vulnerable to this issue, but feel free to verify this.

Florian

Attachment: signature.asc
Description: OpenPGP digital signature