Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

[Solar Designer <solar () openwall com>]

On Wed, Dec 28, 2016 at 03:03:39AM -0200, Dawid Golunski wrote:
> PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
> (CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Marcus has just released 5.2.21 with a fix for CVE-2016-10045.  The fix
stops using escapeshellarg()'s result, and instead sanity-checks the
string's characters:

+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+                return false;

I think the use current locale is weird (an explicit check for
[a-zA-Z0-9] would have been more appropriate), but overall hopefully
this is a working fix now.

I suggest also sanity-checking the string length, for good measure.
Maybe in another update.

> This was reported responsibly to the vendor & assigned a CVEID on the
> 26th of December.
> The vendor has been working on a new patch which would fix the problem but
> not break the RFC too badly. The patch should be published very soon.
>
> I'm releasing this as a 0day without the new patch available publicly
> as a potential bypass was publicly discussed on oss-sec with Solar
> Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
> further would serve no purpose.

Yeah.  I did think for a moment before posting in here yesterday, but
for a number of reasons chose to go ahead with the public discussion.

Alexander