Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADSYzsu6L7vk1bbmQeYsc3ov1qufgyPXtsP-oV0RGGOjUAkLHw@mail.gmail.com>
Date: Wed, 28 Dec 2016 03:03:39 -0200
From: Dawid Golunski <dawid@...alhackers.com>
To: oss-security@...ts.openwall.com
Subject: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
 (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
(CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Discovered by Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Desc:

I discovered that the current PHPMailer versions (< 5.2.20) were still
vulnerable to RCE as it is possible to bypass the currently available
patch.

This was reported responsibly to the vendor & assigned a CVEID on the
26th of December.
The vendor has been working on a new patch which would fix the problem but
not break the RFC too badly. The patch should be published very soon.

I'm releasing this as a 0day without the new patch available publicly
as a potential bypass was publicly discussed on oss-sec with Solar
Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
further would serve no purpose.


Current advisory URL:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

More updates soon at:

https://twitter.com/dawid_golunski


-- 
Regards,
Dawid Golunski
https://legalhackers.com
t: @dawid_golunski

View attachment "PHPMailer-fix-bypass.txt" of type "text/plain" (6286 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.