oss-sec mailing list archives

PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

From: Dawid Golunski <dawid () legalhackers com>
Date: Wed, 28 Dec 2016 03:03:39 -0200

PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
(CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Discovered by Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Desc:

I discovered that the current PHPMailer versions (< 5.2.20) were still
vulnerable to RCE as it is possible to bypass the currently available
patch.

This was reported responsibly to the vendor & assigned a CVEID on the
26th of December.
The vendor has been working on a new patch which would fix the problem but
not break the RFC too badly. The patch should be published very soon.

I'm releasing this as a 0day without the new patch available publicly
as a potential bypass was publicly discussed on oss-sec with Solar
Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
further would serve no purpose.


Current advisory URL:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

More updates soon at:

https://twitter.com/dawid_golunski


-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

Attachment: PHPMailer-fix-bypass.txt
Description:

Current thread:

PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) Dawid Golunski (Dec 27)
- Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) Solar Designer (Dec 28)
  - Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) Dawid Golunski (Dec 29)