CVE-2016-10033: WordPress 4.6 RCE Vulnerability

by do son · Published · Updated

WordPress (WP) is a free and open source CMS for managing a website, blog, and other content on the Internet that was first released on May 27, 2003. Today, WordPress is used on over 75 million sites and is still based on PHP and MySQL and can either be installed on a web server or used though a WordPress hosting service like wordpress.com.
One of the biggest attractions is the ease of creating new posts after WordPress has been installed without having to know a lot about HTML. Also, WordPress has a great community and thousands of themes, plugins, and is available in many languages.

This advisory reveals details of exploitation of the PHPMailer vulnerability (CVE-2016-10033) in WordPress Core which (contrary to what was believed and announced by WordPress security team) was affected by the vulnerability.

The Remote Code Execution attack could be used by unauthenticated remote attackers to gain instant access to the target server on which a vulnerable WordPress core version was installed in its default configuration which could lead to a full compromise of the target application server. No plugins or non-standard settings are required to exploit the vulnerability.

This advisory reveals new exploitation vectors for PHP mail() function discovered by the author that allow to exploit the vulnerability on a most popular MTA (Mail Transfer Agent) – Exim which can be found installed by default on many system such as Debian or Ubuntu, as opposed to rarely used Sendmail MTA that has been thought to be a requirement for mail() injection attacks to date.

Due to critical severity of this vulnerability, the disclosure of new exploitation vectors that increase the range of this type of attacks, and the ease of mass exploitation, the release of this advisory was delayed by an extended period of time to allow WordPress and other potentially affected software vendors enough time to update affected mail libraries. The release was also delayed to allow WordPress team more time for patching another WordPress vulnerability (CVE-2017-8295) which will be described in detail in a separate advisory shortly.

POC:

Exploit : https://exploitbox.io/exploit/wordpress-rce-exploit.sh

Demo

More info, visit here.

Update 5/17/2017

Now, you can use Metasploit to exploit this vulnerability.

  1. Update your Metasploit Framework
    apt-get update && apt-get upgrade

     

  2.   Use /exploits/unix/webapp/wp_phpmailer_host_header module
    msf exploit(wp_phpmailer_host_header) > info

    

           Name: WordPress PHPMailer Host Header Command Injection

         Module: exploit/unix/webapp/wp_phpmailer_host_header

       Platform: Linux

     Privileged: No

        License: Metasploit Framework License (BSD)

           Rank: Average

      Disclosed: 2017-05-03

    

    Provided by:

      Dawid Golunski

      wvu <wvu@metasploit.com>

    

    Available targets:

      Id  Name

      --  ----

      0   WordPress 4.6 / Exim

    

    Basic options:

      Name       Current Setting  Required  Description

      ----       ---------------  --------  -----------

      Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]

      RHOST                       yes       The target address

      RPORT      80               yes       The target port (TCP)

      SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0

      SRVPORT    8080             yes       The local port to listen on.

      SSL        false            no        Negotiate SSL/TLS for outgoing connections

      SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)

      TARGETURI  /                yes       The base path to the wordpress application

      USERNAME   admin            yes       WordPress username

    

    Payload information:

    

    Description:

      This module exploits a command injection vulnerability in WordPress 

      version 4.6 with Exim as an MTA via a spoofed Host header to 

      PHPMailer, a mail-sending library that is bundled with WordPress. A 

      valid WordPress username is required to exploit the vulnerability. 

      Additionally, due to the altered Host header, exploitation is 

      limited to the default virtual host, assuming the header isn't 

      mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 

      and later, the server may have HttpProtocolOptions set to Strict, 

      preventing a Host header containing parens from passing through, 

      making exploitation unlikely.

    

    References:

      https://cvedetails.com/cve/CVE-2016-10033/

      https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html

      http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html

      https://httpd.apache.org/docs/2.4/mod/core.html#httpprotocoloptions

    

    msf exploit(wp_phpmailer_host_header) >

     

Tags: CVE-2016-10033rceWordPress 4.6 RCE Vulnearbilitywordpress rce