The popular Vanilla Forums software is still affected by a critical remote code execution zero-day first reported to the development team in December 2016.
The exploit code was published by ExploitBox, a remote attacker can chain the flaw with the Host Header injection vulnerability CVE-2016-10073 to execute arbitrary code and take the control of the affected software.
Vanilla Forums is the software mentioned by the popular security researcher Dawid Golunski in the following critical PHPMailer advisories a few months ago:
“The researcher also developed an Unauthenticated RCE exploit for a popular
open-source application (deployed on the Internet on more than a
million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities. ” wrote Golunski.
He has been waiting for a few months before publishing the Vanilla Forums RCE exploit together with the WordPress 4.6 RCE exploit.
The Vanilla Forums software leverages PHPMailer that uses PHP’s mail() function as its default transport, as explained by the expert.
The mail() function can then be used to call Sendmail and an attacker can inject extra parameters into Sendmail by chaining the flaw with the CVE-2016-10073 vulnerability.
“Attacker \” -Param2 -Param3″@test.com
when processed by the PHPMailer (and eventually sent to mail()) function would cause sendmail to execute with:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-fAttacker\]
Arg no. 4 == [-Param2]
Arg no. 5 == [-Param3″@test.com]
Dawid Golunski in the ExploitBox post demonstrates how an HTTP 1.0 Web request to the forum will allow code injection down to PHPMailer.
“It should be noted that this vulnerability can still be exploited even if Vanilla software is hosted on Apache web server with several name-based vhosts enabled, and despite not being the default vhost.” wrote Golunski.
“This is possible as the attacker can take advantage of HTTP/1.0 protocol and specify the exact vhost within the URL. This will allow the HOST header to be set to arbitrary value as the Apache server will obtain the SERVER_NAME from the provided URL. This will ensure that the malicious request will reach the affected code despite invalid vhost within the HOST header.”
Below a video PoC of the exploit:
“The exploits and techniques prove that these type of vulnerabilities could be exploited by unauthenticated attackers via server headers such as HOST header that may be used internally by a vulnerable application to dynamically create a sender address.” Golunski told me. “This adds to the originally presented attack surface of contact forms that take user input including From/Sender address.”
These vulnerabilities affect the latest Vanilla Forums stable version 2.3 which unfortunately remains unpatched.
The 0day Vanilla Forums advisories are at:
ExploitBox suggests setting the sender’s address to a static value, in this way it is possible to do not use the HOST header.