Vanilla Forums has a plain-flavoured zero-day
PHPMailer bug leads to remote code execution via HTTP
Updated The popular Vanilla Forums software needs patching against a remote code execution zero-day first reported to the developers in December 2016.
Published by ExploitBox, the zero-day “can be exploited by unauthenticated remote attackers to execute arbitrary code and fully compromise the target application when combined with Host Header injection vulnerability CVE-2016-10073.”
The problem arises because Vanilla Forums inherits a bug in PHPMailer. The mailer uses PHP's mail() function as its default transport, as discussed by Legal Hackers here.
The mail() function can then be used to call Sendmail, and here's where the problem arises, because along that chain, an attacker can inject extra parameters into Sendmail.
"Attacker \" -Param2 -Param3"@test.com when passed to PHPMailer (and eventually to mail()) function would cause sendmail to execute with: Arg no. 0 == [/usr/sbin/sendmail] Arg no. 1 == [-t] Arg no. 2 == [-i] Arg no. 3 == [-fAttacker\] Arg no. 4 == [-Param2] Arg no. 5 == [-Param3"@test.com]
What Legal Hackers' Dawid Golunski found is that this can be used as a command injection vector – and back at the top, in Vanilla Forums, something like a contact form can be used to push code execution down to the mailer.
The ExploitBox post demonstrates how an HTTP 1.0 Web request to the forum will push the code injection down to PHPMailer.
It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost.
This is possible as the attacker can take advantage of HTTP/1.0 protocol and specify the exact vhost within the URL. This will allow the HOST header to be set to arbitrary value as the Apache server will obtain the SERVER_NAME from the provided URL. This will ensure that the malicious request will reach the affected code despite invalid vhost within the HOST header.
While you're waiting for a fix, ExploitBox suggests setting the sender's address to a static value, to block the use of the HOST header. ®
Vanilla Forums has since patched the issue and stresses that the flaw affected open source only, no hosted customers were impacted. Details here.