Critical remote code execution vulnerabilities in two different libraries used to send emails via PHP were patched this week.
An issue in PHPMailer, thought fixed, was resolved with an update, version 5.2.21, pushed late Wednesday. Developers with another mailing library for PHP, SwiftMailer, remedied a similar issue that could have also led to remote code execution on Thursday.
#Swiftmailer 5.4.5 fixes CVE-2016-10074. Thanks @barryvdh and @Zenexer for the help. And to @dawid_golunski for finding the issue
— Fabien Potencier (@fabpot) December 29, 2016
Both bugs were disclosed this week by researcher Dawid Golunski of Legal Hackers.
An attacker could have exploited the PHPMailer vulnerability (CVE-2016-10033) by targeting website components that use PHPMailer, like contact/registration forms, password email reset forms, and so forth. In addition to giving a remote attacker the ability to execute arbitrary code, the vulnerability also could have given attackers access to a web server hosting a web app that used a vulnerable version of the library. To get the word out, a website for the vulnerability, nicknamed PwnScriptum, and a logo, began making the rounds earlier this week.
It was learned early Wednesday an update PHPMailer pushed to fix the original issue over the weekend, version 5.2.18, could be bypassed. That bypass was given a new CVE (CVE-2016-10045) something that put the original issue back at ‘square one,’ according to the researcher.
“There is no public patch at the moment. All PHPMailer versions are vulnerable again. Back to square one,” Golunski told Threatpost Wednesday.
[ #RCE #0day #vuln] SwiftMailer Remains Unpatched.Adding to the #PwnScriptum #phpmailer family 😉 https://t.co/bg8ByA6eSr #infosec #security
— Dawid Golunski (@dawid_golunski) December 28, 2016
PHPMailer eventually fixed the bypass issue with an update, version 5.2.20, later that day.
The SwiftMailer vulnerability (CVE-2016-10074) could have been exploited through the same means as the PHPMailer vulnerability: contact/registration forms, password email reset forms, and any other components that use the SwiftMailer class. Before a fix was applied, the vulnerability affected all versions of the library, including the then-current release, 5.4.5-DEV.
Citing weeks of inactivity by the vendor, Golunski disclosed the vulnerability on Wednesday. Once disclosed, SwiftMailer acted fast to fix the vulnerability, pushing version 5.4.5 on Thursday.
According to the changelog for SwiftMailer on GitHub, developers fixed the issue by deprecating the mail transport used by the library, Swift_Transport_MailTransport, as it was vulnerable to passing arbitrary shell arguments.
Golunski published a similar proof of concept exploit for another PHP framework, Zend Framework, on December 30. Zend, the company responsible for the framework, patched the vulnerability in zend-mail, starting in version 2.7.2, zend-mail, 2.4.11, and Zend Framework, 2.4.11, on December 20. Golunski claims he will publish a more robust disclosure, in which he will discuss other vectors and exploits, in a future whitepaper.
Golunski has had a busy end to 2016. In addition to the PHPMailer and SwiftMailer vulnerabilities, he uncovered two critical vulnerabilities in the open source IT infrastructure monitoring software Nagios Core earlier this month. If exploited those vulnerabilities could have been used to elevate privileges to root and gain remote code execution.
This article was updated on January 3 to include information regarding a similar vulnerability in Zend Framework.