PHPMailer Remote Code Execution (CVE-2016-10033)

An advisory has been published on a critical 0-day unauthenticated RCE (Remote Code Execution) vulnerability in the “PHPMailer” system. PHPMailer is a popular code for sending email from PHP and probably the world’s most popular one according to its developers.

According to the researcher who discovered the flaw, by using this vulnerability an attacker could target common website components such as contact/feedback forms, registration forms, password email resets and others that send out emails.

The vulnerability details were not disclosed in the advisory, however that could be referred from the patched source code. A proof of concept exploit has been already published since.

UPDATE 1: Vulnerability details and the exploit were disclosed by the researcher

Figure 1: Fix in the source code by sanitizing the “Sender” parameter (right side of the figure)

Without disclosing the full details of the issue, the vulnerability allows writing an arbitrary content to an arbitrary file path on the server using a specially crafted sender’s email value. Using this flaw an attacker is able to upload a “Webshell” - malicious PHP file implementing a backdoor – to take control over the server, while the control level depends on the permissions of the running application.

 

Mitigation with Big-IP ASM

As using this vulnerability attacker will try to upload a malicious PHP code, the vulnerability will be detected by many existing proactive “Server Side Code Injection” attack signatures.

While exploiting the issue in PHPMailer, by submitting special crafted email address and the malicious PHP code, attacker will encounter ASM “Blocking Page” due to detected Attack Signatures or Meta-Characters.

 

Figure 2: Request with the exploit gets a blocking page in the response

Figure 3: Generic PHP code Injection attempt detected (Signature ID 200004025)

Figure 4: PHP code injection attempt including “system” command detected (Signature ID 200004199)

Figure 5: PHP code injection attempt including “$_GET” array detected (Signature ID 200004023) 

Figure 6: Special meta-characters detected

 
Published Dec 27, 2016
Version 1.0

Was this article helpful?

No CommentsBe the first to comment