PHPMailer-Exploit-Remote-Code_CVE-2016-10033

    __                     __   __  __           __                 
   / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
/_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
           /____/                                                   

=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2016-10033
- Release date: 25.12.2016
- Revision 1.0
- Severity: Critical
=============================================


I. VULNERABILITY
-------------------------

PHPMailer < 5.2.18 Remote Code Execution


II. BACKGROUND
-------------------------

"PHPMailer continues to be the world's most popular transport class, with an
estimated 9 million users worldwide. Downloads continue at a significant
pace daily."

http://phpmailer.worxware.com/


"Probably the world's most popular code for sending email from PHP!
Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii,
Joomla! and many more"

https://github.com/PHPMailer/PHPMailer


III. INTRODUCTION
-------------------------

An independent research uncovered a critical vulnerability in PHPMailer that 
could potentially be used by (unauthenticated) remote attackers to achieve 
remote arbitrary code execution in the context of the web server user and 
remotely compromise the target web application.

To exploit the vulnerability an attacker could target common website
components such as contact/feedback forms, registration forms, password
email resets and others that send out emails with the help of a vulnerable
version of the PHPMailer class.

Note:
This is a limited advisory to give users a chance to urgently update their
PHPMailer class before disclosing the details.
Details of this vulnerability will be published shortly.


IV. DESCRIPTION
-------------------------

To be released

V. PROOF OF CONCEPT EXPLOIT
-------------------------

The researcher has developed a working RCE PoC exploit.

The exploit will be published at a later date.

The researcher also developed an Unauthenticated RCE exploit for a popular 
open-source application (deployed on the Internet on more than a million servers)
as a PoC for real-world exploitation. It might be published after the vendor has 
fixed the vulnerabilities.

Video PoC:
~~~~~~~~~~~~~

https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html


VI. BUSINESS IMPACT
-------------------------

A successful exploitation could let remote attackers to gain access to 
the target server in the context of the web server account which could
lead to a full compromise of the web application.

 
VII. SYSTEMS AFFECTED
-------------------------

All versions of PHPMailer before the critical release of 5.2.18 are affected.


VIII. SOLUTION
-------------------------

The vulnerability was responsibly disclosed to PHPMailer vendor.
The vendor released a critical security release of PHPMailer 5.2.18 to fix the
issue as notified at:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md


CVE MITRE assigned the following ID to this vulnerability: 

CVE-2016-10033 

Users should urgently update to the patched release.
 
IX. REFERENCES
-------------------------

https://legalhackers.com

This advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Video PoC:
https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

Exploit code:
To be disclosed at a later date

CVE-2016-10033 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10033


PHPMailer / Vendor security updates / notices:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
 
XI. REVISION HISTORY
-------------------------

25.12.2016 - Limited advisory released to prompt an urgent update by
affected users before disclosing the details.
 

XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

[원문]https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html