Critical Vulnerability in PHPMailer. Affects WP Core.

A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski. The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included.

Unfortunately someone posted a proof of concept to exploit-db and to github a few hours ago demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.

We are publishing this unscheduled update to give PHP developers and our community advance warning of this issue. We expect this story to continue to evolve rapidly as more developers and malicious actors look at this code.

PHPMailer is used by WordPress core to send email. You can find the code in the wp-includes/class-phpmailer.php core file.

Don’t Panic

NOTE: There is no known exploit publicly available for WordPress core or any WordPress theme or plugin at this time. The only exploit we have seen is where a researcher has built their own application and then exploited it, demonstrating the existence of this vulnerability in PHPMailer. (Details below)

Please don’t contact the WordPress core team, WordPress forum moderators or anyone else panicking that your WordPress site will be exploited. This research is currently ongoing and we are making you aware of this issue early for two reasons:

  1. So that you can be ready to upgrade WordPress core and any other affected themes and plugins if you are a user, once a fix is released.
  2. So that, if you are a developer who has used a vulnerable version of PHPMailer, you can start patching your code and get a release out to your customers.

The Details

If you are unfamiliar with RCE vulnerabilities, they are a worst-case-scenario. All of the worst vulnerabilities in the history of WordPress have been remote code execution vulnerabilities. They allow an attacker to execute their own code on a victim website and thereby take control of the website.

We have performed a brief analysis on the affected code in PHPMailer. To exploit this vulnerability, it appears that an attacker would need to be able to control the sender email address.

A snippet of the vulnerable code in PHPMailer and the fixes is shown below.

Vulnerable code that was fixed in PHPMailer

Source: Github.

In the vulnerable version of PHPMailer, the sender email address is passed unescaped to a shell command. An attacker could include shell commands in the sender email that execute malicious code on a target machine or website.

What to do

We’re sending out this email as an early warning for our subscribers and customers. The WordPress core team are currently working on a fix that will be included in a WordPress core security release. There is also no word on timing but it may be as soon as within 24 hours.

Please update to the newest version of WordPress core as soon as it is released.

If you are using PHPMailer older than 5.2.18 in your own PHP applications, themes or plugins, please upgrade to PHPMailer 5.2.18 or newer immediately.

If you are a WordPress theme or plugin developer and have included your own copy of PHPMailer in your plugin or theme code, you need to update to PHPMailer 5.2.18 or newer immediately and release a fix to your customers.

More information and discussion

An issue in WP core was opened about 4 hours ago that included a patch to fix this issue. It updates WP core from using PHPMailer 5.2.14 to 5.2.19. This is just a proposed patch, not the final fix.

You can find the code changes on github showing the changes in PHPMailer to fix this issue. They make it fairly clear the issue is with the sender email address being sent to a shell command unsanitized.

A basic proof of concept exploit has also been posted to exploit-db which links to a more detailed demo of this exploit in action on github. The researcher has built their own web application which is vulnerable to this exploit, and then created an exploit for their own app. This is clearly not a real-world PoC, but it demonstrates the weakness in PHPMailer and paves the way for real-world exploits to emerge.

According to the post by the researcher who found this:

“The researcher also developed an Unauthenticated RCE exploit for a popular open-source application (deployed on the Internet on more than a million servers) as a PoC for real-world exploitation. It might be published after the vendor has fixed the vulnerabilities.”

The issue was posted to Hackaday yesterday and to The Hacker News earlier today.

It is being widely discussed on Twitter.

It is being discussed on WP Slack #forums and #core. [Login required]

Also being discussed on Hacker News.

It was posted to Reddit /r/netsec about 20 hours ago and is being discussed there.

We expect it to hit mainstream press tomorrow as everyone returns to work.

Update Monday Dec 26th at 5:23pm PST: The Drupal team also released a security advisory regarding PHPMailer a few hours ago.

Update Tuesday Dec 27th at 5:34am PST: The researcher has now released full details of this exploit including the specific weakness in PHPMailer that is used to gain remote code execution. They have not yet released the exploit they have for a “popular open source application”.

Update Tuesday Dec 27th at 8:14pm PST: There appear to still be security issues with PHPMailer that need to be fixed, as discussed on the oss-security mailing list.

Update Tuesday Dec 27th at 11:19pm PST: The researcher has now posted a new 0day bypass for PHPMailer v5.2.19 and older. According to the researcher, the 0 day was disclosed because there had been a public discussion on the oss-sec list about a potential bypass that made it public. Disclosing a zero day vulnerability is unusual for an ethical researcher, but in this case it’s excusable because the exploit became public through public discussion. It also helps vendors fix and test their products more effectively. So while this is unusual and potentially controversial, we think it’s an acceptable action in this case.

Did you enjoy this post? Share it!

Comments

68 Comments
  • Could a temporary fix be to block IP-addresses trying to access a specific URL?

    • This is a vulnerability in a library that is used by developers, not a known exploit in a specific application. I want to be very clear on the next point: If you are a regular WordPress user, the only thing you need to do is to upgrade WordPress core ASAP when a security release is fixed, and upgrade any other plugins, themes or applications you have as soon as they release a security fix.

      We aren't currently aware of any exploits that target widely used applications. As they emerge we will be releasing new firewall rules to our customers in real-time to protect you. (Assuming you use Wordfence Premium)

      This is an advance warning of updates to come for users - and we're also making developers aware of the issue so that they can update their phpmailer libraries.

      Mark.

      • So having automatic WordPress updates enabled I guess I'm good.

        • That will ensure your WP core is updated automatically when a security release goes out. If your theme or plugins aren't updated automatically then keep an eye out for security updates during the next few weeks. Same applies to any other PHP applications you have - like phpmyadmin, mediawiki, Joomla, Drupal etc. I don't know how many of them use phpmailer, but this is going to affect a lot of code.

          Mark.

  • It doesn't look like I have anything to worry about, but It's good to know the Wordfence team are so quick off the mark to give us all the heads up about potential exploits like this, even when most people are relaxing on their holidays. I will keep a close eye out for the upcoming WordPress security update.

    Thank you for the warning. It's this level of vigilance towards emerging security threats that makes me feel confident in using Wordfence as my WordPress site's security plugin.

    • You're welcome. Lets just say I was a bit nonplussed when this researcher announced the vulnerability on xmass day.

      • Yeah, that was excellent timing. Seems like the more responsible thing to have done would have been to wait until the 27th, or even the 3rd of January.

  • It states here that your PHP version must be inferior to 5.2.0 to run the exploit - can you confirm this? (https://github.com/opsxcq/exploit-CVE-2016-10033/blob/master/README.md)

    • Hi there.

      That exploit is not written by the author of the original research. The vulnerability was only announced yesterday. The original researcher made it clear they were not releasing their exploit yet. They also indicated that they have an exploit for a "popular open source application".

      The person who wrote the above rushed this out to, most likely, draw attention to themselves.

      So I wouldn't rely too heavily on that research or any caveats/requirements that they mention.

      Mark.

      • Sounds very reminiscent of https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ - maybe the "popular open source application" will be roundcube, not wordpress? :)

  • Does the contact form by Jetpack use a static sender e-mail address that can't be manipulated by the visitor? If that is the case is that particular plugin safe from this exploit?

    Thanks for clarifying.

    • I would definitely want to review any code that uses phpmailer on a case-by-case basis. But I'd say as a general statement: Any application that uses phpmailer and does not allow a user (registered or unregistered) to specify the sender email address, is probably not going to be affected by this.

      I haven't used that feature in Jetpack, but I'd say that if they don't allow site visitors or non-admin users to specify the sender email address, then that feature is probably safe.

      Mark.

  • Nice, yet another hole in the so called secure Wordpress. Will they ever pay attention to security instead of how the edit screen looks?

    • This isn't the WP core dev or any WP dev's fault. This is what happens when you're a really big and popular target. WP has a lot of code and a lot of plugins, themes and utilities. Of course there are going to be a lot of vulnerabilities found and occasionally exploited. The trick is to create awareness about the issues and respond quickly.

      I know the WP core team is working hard on any issues that need to be addressed - probably through the holiday. I've seen some activity on Slack indicating that.

      I'm sure any other devs who are affected are rushing to release a fix asap.

      We're doing our part and the community can help by spreading the word and creating awareness so we can all upgrade smoothly and quickly where needed and move on to something more fun and productive.

      Mark.

  • So, there were 2 "researchers"? Did either of them reach out to the responsible party for the mailer library? My initial reaction is that someone without integrity is trying to make a name for themselves. Otherwise, there wouldn't need to be any sort of scramble.

  • Thank you very much for the warning!

  • "An attacker could include shell commands in the sender email that execute malicious code on a target machine or website."

    So it affects only forms where the sender mail is input by the user ? How else would the attacker modify the sender email ?

  • The current ticket on this is:
    https://core.trac.wordpress.org/ticket/37210

    • Thanks Chris.

  • Hi Mark

    Don't you mean class-phpmailer.php, rather than class-smtp.php (i.e. https://github.com/WordPress/WordPress/blob/master/wp-includes/class-phpmailer.php)

    Nic

    • Yes, thanks. Fixed that.

  • Hi, how i can know the PHPMailer version on my wordpress?, thanks

    • If you're running the newest WordPress it is going to be a vulnerable version of PHPMailer. But WordPress should be releasing a security update soon.

      You should also know that there are no known vulnerabilities or exploits for WordPress core at this time. They're just using an old version of PHPMailer that may lead to exploitable vulnerabilities in the near future and so this is an alert to upgrade as soon as you see a new version of WordPress core released.

      For now you don't need to take any action.

      Mark.

      • Thank you :)

  • Alert generated at Tuesday 27th of December 2016 at 07:01:45 PM

    Critical Problems:

    * WordPress core file modified: wp-includes/class-phpmailer.php

    • Looks like this is a product called 'patchman' that is making these modifications. It's a security product that some hosting providers use.

      This is super aggressive and not something we would do or recommend. They've clearly rushed out a security patch and it's a duplicate of what the WP core team is about to release.

      It is also patching files that don't actually have a known exploit. Yes they use the older PHPMailer that has security issues, but we aren't aware of any exploits in the wild yet for WP core or plugins or themes.

      If you have been affected by this, I'd recommend you just 'ignore' the change in your scan results. Then wait for the WP core release which will probably overwrite those changes.

      Mark.

  • I am getting WordFence notifications for dozens of sites saying the file has been modified. Does that mean those sites have been compromised?

    Alert generated at Tuesday 27th of December 2016 at 07:29:43 PM

    Critical Problems:

    * WordPress core file modified: wp-includes/class-phpmailer.php

    Warnings:

    * The Plugin "Wordfence Security" needs an upgrade (6.2.8 -> 6.2.9).

    • Please see my reply to Michael Winn. This is probably 'patchman'.

  • Hi,

    I got this [Wordfence Alert] email couple of hours ago :-

    ---------------------------------------------------------------------
    Critical Problems:

    * WordPress core file modified: wp-includes/class-phpmailer.php

    * WordPress core file modified: wp-includes/class-smtp.php
    ---------------------------------------------------------------------

    Does that mean the WordPress released a patch and my site got updated automatically,
    or
    Should I be concerned ?

    Good job on catching this up on holidays by the way :)

    Thanks in advance.

    • Please see my reply to Michael Winn. This is probably 'patchman'.

      • Got it. Thank you.

  • It says it's sent "unescaped to a shell command", can't you just turn off shell access for all user accounts on a cpanel server to stop any attack from this particular threat (it's my hosting server, users don't need shell access anyways) or is a different kind of shell access it is using at the PHP level?

    • Correct Tommy, it is shell access at the PHP level that they're referring to. Most programming languages have a way for you to execute shell commands programatically. Sometimes you can fool the application into executing your own shell command if you're an attacker. That usually happens if the developer hasn't escaped user input correctly that they're sending to a shell command. That is what is happening in this case.

      Mark.

      • Gotcha, I was hoping turning off all shell access would work lol... that would be to easy... :)

        • You can disable certain functions in PHP that make shell calls, but that tends to break things.

  • My hosting provider user patchman.co (it's their own software actually) and they proactively installed a patch for this.

    • Thanks. We've seen several reports about this both here and on Twitter. Just replied to one a few minutes ago again.

  • Reports this morning that 5.2.18 is still vulnerable (up to 5.2.20)

    Can your team verify Mark?

    http://seclists.org/bugtraq/2016/Dec/54

    But good news too - https://core.trac.wordpress.org/ticket/37210

    "Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions. A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors."

    • Confirmed. I posted an update to the blog post last night.

  • If exploit is using additional parameters option in mail() then it can be disabled by setting mail.force_extra_parameters in php.ini.

    • Mark/everyone - can someone confirm setting mail.force_extra_parameters in php.ini will in general avoid this issue ? Could be a solution for all platforms until updates are around ...

  • Starting to get a little cloudy for me. How, exactly, will the final fix to Wordpress core appear? All my sites getting the error message in Wordfence about Core file having changed. How will I know when/how to fix it? I thought surely by now it would have been released.

    • That's Patchman's fault. Contact your hosting provider or patchman.io. It has nothing to do with the core developers or the Wordfence team. The patchman team have released that patch which modifies your code. It's a product your hosting provider uses.

  • Restore Original? Ignore?

    WordPress core file modified: wp-includes/class-phpmailer.php
    Filename: wp-includes/class-phpmailer.php
    File type: Core
    Issue first detected: 5 hours 3 mins ago.
    Severity: Critical
    Status New
    This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.

    • Ignore.

  • First, I am very impressed with Wordfence.com putting out this notice and keeping it updated in a proper timely fashion. Does anyone know if/when Wordpress will be sending out the update? I still haven't seen one come out ...

  • Tell us again how it benefits us to have legal hackers digging for issues, then making that information public before patches are developed? You left millions of sites sitting ducks, with lower level hackers beating the bushes to attack as many as possible through the hole you just published. Notoriety for finding holes also isn't such a good idea until down the road; it just makes the tech more anxious to get the word out to the public. FYI: PHPMailer has always been a concern; that should have been made common knowledge years ago. But concerns about holes should be address between organizations and notices distributed only as patches are released. Otherwise, we're all of a sudden liable, with no recourse.

    • Hi Debbie,

      PHPMailer is an open source project. It's not proprietary where development happens behind closed doors. The public contributes and everyone can see much of the discussion and the commits as they are added. So hackers can see the fixes as they are discussed and added and before they are released.

      Mark.

  • This is just a bunch of technical mambo jumbo info without providing any information on what attacker needs in order to exploit this vulnerability.

    What kind of access to the system they need?

    • Hi there,

      Well, I do my best to explain it in plain english, but it doesn't translate for all users. To exploit a SQL injection vulnerability an attacker needs the website to be running a vulnerable theme or plugin that has a sql injection vulnerability.

      Mark.

  • Hi Mark,

    Thanks for the info. My Wordfence plugin keeps telling me that the class-phpmailer.php file has been changed. The change does not match the one mentioned in the post above. I keep changing it back to the original one and there has not yet been a WP update... am I doing the right thing or is the changed file a fix of sorts...?

    Thanks!

    Glyn

    • That is patchman.co - I discuss that in other comments.

    • Jeez, people, you need to start reading these posts and comments!!! Guess what!? Someone already asked that.... and someone else... and then someone else. I bet Wordfence team has better things to do than replying to the same f...g question all day long!!!
      Sorry, it just sooo annoying to read the same question over and over.

      • No. Really. I have nothing better to do over the holiday season. ;-)

      • Thanks for your reply. I'm sorry if reading my comments upsets you so much. You don't have to read it, you could just skip past? The fact is that I still don't actually understand the reply or the reply to the other comments. I'm afraid that I'm a complete novice at this. I think I'll try and find some help in a friendlier and more tolerant place.

  • phpmailer has released 5.2.21. Hopefully addressing the vulnerability more comprehensively this time?

  • wordpress core lead dev statement on issue from:

    https://core.trac.wordpress.org/ticket/37210#comment:14

    (rought paste follows, see link for original)
    The WordPress Security team is aware of the PHPMailer issues. We've been in contact with the author and security researchers and discussing the fixes.
    Presently, WordPress Core (and as a result, anything utilising wp_mail()) are unaffected by the recent disclosures, the vulnerabilities require the usage of a PHPMailer feature which WordPress & wp_mail() does not use. This applies to WordPress 4.7, 4.6.x, and all previous secure versions.
    A note on plugins: If plugins are correctly utilising wp_mail() they'll not be affected either, however, if a plugin is doing something wrong, the plugins team will be in contact with the plugin authors.
    The upcoming 4.7.1 release will contain mitigation for these issues, we're committed to only shipping secure libraries with WordPress - regardless of whether we use the feature or not.
    We don't have any specific timing details to share at present, however the preparations for a 4.7.1 release was already underway when we learnt about the issues.

  • I'm the maintainer of PHPMailer, so I've been busy lately. I thought I'd drop in and answer a few of the questions posted here.

    First of all, some assurances: if you don't use user-supplied from addresses (and you shouldn't be anyway), you're not vulnerable. If you're using SMTP or sendmail (not mail()) to send, you're not vulnerable. If you're using postfix, you're safe too.

    The primary cause of the first vulnerability (CVE-2016-10033) was not taking into account that a fully functional, validated and RFC-compliant email address (as the sender address in PHPMailer is) could also be an attack string in a shell context. This has parallels with SQL injection strings - it could be entirely harmless in a shell, but lethal in an SQL context.

    This vulnerability was fixed in PHPMailer 5.2.18.

    The second vulnerability (10045) related to the interaction of PHP's shell escaping functions. This was not fixed as such (because it's a bug in PHP, not PHPMailer), but it was worked around and made safe in 5.2.20. As a side-effect, complex sender addresses will no longer work. If you need VERP addressing (the kind of thing you need complex sender addresses for), I recommend you use SMTP, which is also faster. The format of From and To addresses remain unchanged, because they have no bearing on the vulnerabilities.

    The premature posting of an exploit was unhelpful, and did result in a 'scramble', but it was not done by the researchers involved in reporting the vulns.

    The roundcube bug was the same as CVE-2016-10033 in PHPMailer. These same vulnerabilities have been found (some by the same researchers, at the same time) in other popular PHP email libraries, and I expect many applications that don't use libraries have done the same and will need to be fixed too. For example, this was just announced:

    https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html

    CVE-2016-10045 is a nasty bug with major implications, and is likely have an impact well beyond just PHPMailer and other affected libraries.

    More background info can be found here:

    https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

    • Thanks Marcus!

      • Thanks Marcus,

        Finally a piece of info that explains how vulnerability is exploited and what should be done to avoid it. As I figured out, the issue is totally blown out of proportion.

  • Is it likely that other "email" plugins used to enhance the standard WordPress email capabilities also expose this weakness? I'm aware of a number of such plugins used for that purpose

  • Sharing some mitigating code on the topic:

    https://github.com/areusecure/tools/blob/master/phpFilter.php

    Free to use of course..

  • Guys here is another critical zero-day Vulnerabilities on PHP
    http://www.cyberkendra.com/2016/12/php-7-suffers-from-3-critical-zero-days.html

  • Hello!
    I don't run a WordPress-Site, but I am following this Blog just to get the latest news about Vulnerabilities. So I am interested where you get the news from.

    Thanks so much in advance!!!
    Thanks for keeping us up to date!
    Thomas

  • Hi Mark, do you know when the security update will be released by WordPress? Patchman is truly annoying :).. Thanks