PwnScriptum

The RCE vulnerability in multiple e-mail libraries


PHPMailer - Remote Code Execution

CVE-2016-10033

PHPMailer - "Probably the world's most popular code for sending email from PHP! Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more"

A critical vulnerability has been discovered  in all versions of PHPMailer by a security researcher Dawid Golunski of Legal Hackers. The details are in the security advisory issued by the researcher. 

The vulnerability could potentially allow (unauthenticated) remote attackers to  execute arbitrary code and gain unauthorised access to a target web server hosting a web application which uses a vulnerable version of PHPMailer. To exploit the vulnerability attackers could target common website features such as contact forms, password reset, registration forms and others that send emails by using one of the affected versions of PHPMailer.

Security fix / Solution

Users should urgently update to the latest critical security release of PHPMailer 5.2.18 released by the vendor. 
Still vulnerable! See below:

PoC Exploit

PHPMailer Simple PoC exploit

CVE-2016-10045

The escaping done with escapeshellarg() was bypassed. See the new CVE-2016-10045 advisory

Security fix / Solution

Update to version 5.2.20 or later.

PoC Exploit

Bypass PoC exploit

Vulnerable WebApp to test

PHPMailer Vulnerable Contact Form (contains PHPMailer package in versions 5.2.17 & 5.2.19)






ZendMail - Remote Code Execution

CVE-2016-10034

ZF2016-04

Zend Framework / zend-mail - "Zend Framework is a collection of professional PHP packages with more than 95 million installations. It can be used to develop web applications and services using PHP 5.6+, and provides 100% object-oriented code using a broad spectrum of language features."

A similar vulnerability  in Zend Framework (zend-mail) that can also allow Remote Code Execution was revealed in the security advisory

Security fix / Solution

Users should update to the patched releases :
  1. zend-mail, starting in version 2.7.2
  2. zend-mail, 2.4.11
  3. Zend Framework, 2.4.11

PoC Exploit

Zend Framework / Zend-mail Simple PoC exploit







SwiftMailer - Remote Code Execution

CVE-2016-10074

SwiftMailer/ zend-mail - "Swift Mailer began back in 2005 as a one-class project for sending mail over SMTP. It has since grown into the flexible component-based library that is in development today." SwiftMailer library is used by major PHP projects including some of the most popular PHP programming frameworks such as Yii2, Laravel, Symfony."

A similar vulnerability  in SwiftMailer that can also allow Remote Code Execution was revealed in the security advisory

Security fix / Solution

Users should update to the latest version (5.4.5) of SwiftMailer

PoC Exploit

SwiftMailer Simple PoC exploit

#PwnScriptum



Stay updated

More details will eventually be posted on this website.
You can also monitor the researcher's website, or the

FAQs

1. Who discovered the vulnerability?
The vulnerability was discovered by Dawid Golunski of Legal Hackers

2. What should I do? Where do I get the patches?
See the Security fix section above

3. Can I make the patch my New Year's resolution and wait for some time? 
You can wait, attackers probably won't ;)

4. How do I contact the maintainers of this site or the researcher?
You can contact the maintainers of this site via pwnscriptum[-at-]gmail.com.
The researcher who discoverd the vulnerability can be reached at dawid[-at-]legalhackers.com

5. Why is it called PwnScriptum (or P.$.) ? 
It comes from P.S. short for latin PostScriptum, commonly used in e-mail communication.
The $ stands for a shell/script execution on the Pwned host after an email has been sent by a vulnerable webapp ;)

6. Is there a need for the name/logo/domain foo?
As you can see from the previous advisories, the researcher prefers to stick to advisories in raw plain-text (wrapped to 80 chars of course ;).
These post well on security lists but don't necessarily reach far outside the security community.
The news of this vulnerability however, due to the severity and wide usage of the affected software, had to reach the opensource users fast
(despite the bad timing and a holiday break ;) to speed up patching as much as possible before the full details/exploits get disclosed.
Hence the idea for this page.

7. Can I get the full RCE exploit code already to fix my PHPMailer?
That's what the patch/security release is for ;) (See the Security Fix section).

8. Can I use the logo on my blog? Go for it, it's meant to be opensource after all ;)

P.$. echo " Patch now. Dont get pwned ;) "