7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a β-oProxyCommandβ argument.
Recent assessments:
h00die at March 25, 2020 12:59am UTC reported:
The imap_open
function within php, if called without the /norsh
flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Sshβs ProxyCommand
option can be passed from imap_open to execute arbitrary commands.
The execution flow of this, on Debian systems is as such:
PHP imap_open
via rsh
rsh
aliased to ssh
SSHβs ProxyCommand
RCE
There were some other nuances, such as not allowing spaces ($IFS$()
is OK). Typical execution of this at the SSH side was to base64 encode the payload and pipe it to bash: "-oProxyCommand=
echo #{enc_payload}|base64 -d|bash"
.
The trick is finding where a webapp calls the imap_open
functionality. Typically this is in a higher privileged part of the webapp, since it could be destructive (such as disabling notifications). Some webapps seem to include the function call, but never call the function which uses it (maybe there for plugins to use?).
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 3
www.securityfocus.com/bid/106018
www.securitytracker.com/id/1042157
antichat.com/threads/463395#post-4254681
bugs.debian.org/913775
bugs.debian.org/913835
bugs.debian.org/913836
bugs.php.net/bug.php?id=76428
bugs.php.net/bug.php?id=77153
bugs.php.net/bug.php?id=77160
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518
git.php.net?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb
github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
lists.debian.org/debian-lts-announce/2018/12/msg00006.html
lists.debian.org/debian-lts-announce/2019/03/msg00001.html
security.gentoo.org/glsa/202003-57
security.netapp.com/advisory/ntap-20181221-0004
usn.ubuntu.com/4160-1
www.debian.org/security/2018/dsa-4353
www.exploit-db.com/exploits/45914
www.openwall.com/lists/oss-security/2018/11/22/3
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C