Vanilla Forums has a plain-flavoured zero-day

PHPMailer bug leads to remote code execution via HTTP.

Updated The popular Vanilla Forums software needs patching against a remote code execution zero-day first reported to the developers in December 2016.

Published by ExploitBox, the zero-day “can be exploited by unauthenticated remote attackers to execute arbitrary code and fully compromise the target application when combined with Host Header injection vulnerability CVE-2016-10073.”

The problem arises because Vanilla Forums inherits a bug in PHPMailer. The mailer uses PHP’s mail() function as its default transport, as discussed by Legal Hackers here.

The mail() function can then be used to call Sendmail, and here’s where the problem arises, because along that chain, an attacker can inject extra parameters into Sendmail.

For example:

"Attacker \" -Param2 -Param3"@test.com

when passed to PHPMailer (and eventually to mail()) function would cause
sendmail to execute with:

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3"@test.com]

What Legal Hackers’ Dawid Golunski found is that this can be used as a command injection vector – and back at the top, in Vanilla Forums, something like a contact form can be used to push code execution down to the mailer.

The ExploitBox post demonstrates how an HTTP 1.0 Web request to the forum will push the code injection down to PHPMailer.

It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost.

This is possible as the attacker can take advantage of HTTP/1.0 protocol and specify the exact vhost within the URL. This will allow the HOST header to be set to arbitrary value as the Apache server will obtain the SERVER_NAME from the provided URL. This will ensure that the malicious request will reach the affected code despite invalid vhost within the HOST header.

 

While you’re waiting for a fix, ExploitBox suggests setting the sender’s address to a static value, to block the use of the HOST header. ®

Update

Vanilla Forums has since patched the issue and stresses that the flaw affected open source only, no hosted customers were impacted.

Source:http://ift.tt/2psIVEJ

 

The post Vanilla Forums has a plain-flavoured zero-day appeared first on Information Security Newspaper.

from Information Security Newspaper http://ift.tt/2qdBH4m

Anuncios

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s