ID AKB:35CB145F-3B4B-4C42-B848-F9CC0CF6A503
Type attackerkb
Reporter AttackerKB
Modified 2020-07-30T05:01:40


University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

Recent assessments:

h00die at 2020-03-25T00:59:58.868978Z reported: The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. The execution flow of this, on Debian systems is as such:

  1. PHP imap_open via rsh
  2. rsh aliased to ssh
  3. SSH's ProxyCommand RCE

There were some other nuances, such as not allowing spaces ($IFS$() is OK). Typical execution of this at the SSH side was to base64 encode the payload and pipe it to bash: "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`".

The trick is finding where a webapp calls the imap_open functionality. Typically this is in a higher privileged part of the webapp, since it could be destructive (such as disabling notifications). Some webapps seem to include the function call, but never call the function which uses it (maybe there for plugins to use?).

Assessed Attacker Value: 2 Assessed Exploitability: 3