Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161228165828.GA2779@openwall.com>
Date: Wed, 28 Dec 2016 17:58:28 +0100
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Marcus Bointon <marcus@...chromedia.co.uk>
Subject: Re: PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit (CVE-2016-10045) (Bypass of the CVE-2016-1033 patch)

On Wed, Dec 28, 2016 at 03:03:39AM -0200, Dawid Golunski wrote:
> PHPMailer < 5.2.20 Remote Code Execution PoC 0day Exploit
> (CVE-2016-10045) (Bypass for the CVE-2016-1033 patch)

Marcus has just released 5.2.21 with a fix for CVE-2016-10045.  The fix
stops using escapeshellarg()'s result, and instead sanity-checks the
string's characters:

+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@...', $c) === false) {
+                return false;

I think the use current locale is weird (an explicit check for
[a-zA-Z0-9] would have been more appropriate), but overall hopefully
this is a working fix now.

I suggest also sanity-checking the string length, for good measure.
Maybe in another update.

> This was reported responsibly to the vendor & assigned a CVEID on the
> 26th of December.
> The vendor has been working on a new patch which would fix the problem but
> not break the RFC too badly. The patch should be published very soon.
> 
> I'm releasing this as a 0day without the new patch available publicly
> as a potential bypass was publicly discussed on oss-sec with Solar
> Designer in the PHPMailer < 5.2.18 thread, so holding the advisory
> further would serve no purpose.

Yeah.  I did think for a moment before posting in here yesterday, but
for a number of reasons chose to go ahead with the public discussion.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.