Locky ransomware users are taking advantage of issues in Web-to-email PHP scripts to deliver malware.
During a mid-July spam campaign, the group behind the Locky ransomware found a vulnerability in a PHP-based Web-to-email service, which they used to make other people’s servers do all the dirty work for them, said researchers on Cisco’s OpenDNS team.
The vulnerability allowed the Locky developers to brute-force the Web form and make it send a message, with the payload attached, to an email address of their choosing.
At the core of the issue was a vulnerability in a PHP contact form script, Brad Antoniewicz, the OpenDNS researcher who found the campaign and its mode of operation, said in a blog post.
“The key security mechanism in these scripts is that you (the site owner) define the destination email on the server side which is inaccessible to the web visitor. You can also statically define content, the email subject, and virtually every other component of the email itself, but the big obvious risk is mostly mitigated by defining the destination address, server side,” Antoniewicz said.
“This all falls apart when the web-to-email form does something lazy,” he said.
The application takes every key/value pair POST’ed by the visitor and assigns each key as a PHP variable populated by its corresponding value.
“On the surface this might not be too bad if there are not any overlapping POST parameters with PHP variables; however, since we don’t have strict control over the data POST’ed by the user, the application is severely vulnerable to attack,” he said.
Researchers found the vulnerability in the past and reported in other products, but not in this specific script. Nevertheless, its owners have inadvertently addressed the security bug in subsequent updates.
“[W]e were unable to find any publicly reported instances of these vulnerabilities in the specific PHP webforms we saw being abused,” Antoniewicz said.
“We did reach out to the vendor(s) we could identify, requesting contact information, but received no reply to date and thus we’re choosing not to identify the specific applications containing the vulnerabilities. Updating to the latest version of your PHP web-to-email form should fix the issue.”