oss-sec mailing list archives
Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)
From: Solar Designer <solar () openwall com>
Date: Wed, 28 Dec 2016 17:58:28 +0100
On Wed, Dec 28, 2016 at 03:03:39AM -0200, Dawid Golunski wrote:
PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)
Marcus has just released 5.2.21 with a fix for CVE-2016-10045. The fix stops using escapeshellarg()'s result, and instead sanity-checks the string's characters: + // All other characters have a special meaning in at least one common shell, including = and +. + // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. + // Note that this does permit non-Latin alphanumeric characters based on the current locale. + if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { + return false; I think the use current locale is weird (an explicit check for [a-zA-Z0-9] would have been more appropriate), but overall hopefully this is a working fix now. I suggest also sanity-checking the string length, for good measure. Maybe in another update.
This was reported responsibly to the vendor & assigned a CVEID on the 26th of December. The vendor has been working on a new patch which would fix the problem but not break the RFC too badly. The patch should be published very soon. I'm releasing this as a 0day without the new patch available publicly as a potential bypass was publicly discussed on oss-sec with Solar Designer in the PHPMailer < 5.2.18 thread, so holding the advisory further would serve no purpose.
Yeah. I did think for a moment before posting in here yesterday, but for a number of reasons chose to go ahead with the public discussion. Alexander
Current thread:
- PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) Dawid Golunski (Dec 27)
- Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch) Solar Designer (Dec 28)