The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header.
Swift Mailer versions prior to 5.4.5 are vulnerable to a critical remote code execution (RCE) flaw. Attackers can inject malicious commands into email headers, leading to arbitrary code execution on the server via the mail command. Successful exploitation allows for complete system compromise and data exfiltration.
Step 1: Payload Delivery: The attacker crafts an email with a malicious email address in the From, ReturnPath, or Sender header. This address includes a backslash-escaped double quote (\") followed by shell commands (e.g., \" ; whoami;).
Step 2: Header Injection: The crafted email is sent to a server using the vulnerable Swift Mailer library.
Step 3: Mail Command Invocation: The Swift Mailer library processes the email and, when sending it using the mail transport, constructs the command to invoke the mail command-line utility.
Step 4: Command Execution: Due to the lack of proper sanitization, the injected shell commands within the email address are passed as arguments to the mail command. The mail command executes these commands.
Step 5: Code Execution: The attacker's injected commands are executed on the server, allowing for arbitrary code execution and potential system compromise.
The vulnerability stems from insufficient input validation within the Swift_Transport_MailTransport class. Specifically, the code fails to properly sanitize email addresses provided in the From, ReturnPath, and Sender headers before passing them to the mail command. The use of a backslash-escaped double quote (\") in a crafted email address allows attackers to inject arbitrary shell commands. The mail command, when invoked with the crafted address, interprets the injected commands as arguments, leading to their execution. The root cause is a lack of proper escaping or filtering of user-supplied data before it is used in a system call. This is a classic example of a command injection vulnerability.