cbcvebase.
CVE-2017-15806
published 2017-11-15

CVE-2017-15806: The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail…

PriorityP263high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
10.65%
95.2th percentile
The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php."

Affected

2 ranges
VendorProductVersion rangeFixed in
zetacomponentsmail< 1.8.21.8.2
zetacomponentsmail>= 0 < 1.8.21.8.2

Detection & IOCsextracted from sources · hover to see the quote

command-X/var/www/html/cache/exploit.php
path/var/www/html/cache/exploit.php
  • Look for sendmail invocations containing the -X flag followed by a web-accessible path, which indicates abuse of the sendmail log-to-file feature via the returnPath property.
  • Monitor the ezcMailMtaTransport send() call for returnPath/ezcMailAddress values containing shell metacharacters or flag-like substrings (e.g. -X, -O, -C) appended after a valid email address.
  • Alert on new PHP files created in web-writable cache or public directories by the webserver process user, as the exploit drops a PHP shell via sendmail's -X logging flag.
  • ·Exploitation is only possible when the ezcMailMtaTransport class is used (not other transport classes in Zeta Components Mail).
  • ·The web root directory must be writable by the user the web server runs as for the dropped file to be created.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.