Attacker Value
Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

CVE-2018-19518

Disclosure Date: November 25, 2018
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a “-oProxyCommand” argument.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh’s ProxyCommand option can be passed from imap_open to execute arbitrary commands.
The execution flow of this, on Debian systems is as such:

  1. PHP imap_open via rsh
  2. rsh aliased to ssh
  3. SSH’s ProxyCommand RCE

There were some other nuances, such as not allowing spaces ($IFS$() is OK). Typical execution of this at the SSH side was to base64 encode the payload and pipe it to bash: "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`".

The trick is finding where a webapp calls the imap_open functionality. Typically this is in a higher privileged part of the webapp, since it could be destructive (such as disabling notifications). Some webapps seem to include the function call, but never call the function which uses it (maybe there for plugins to use?).

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
5.9
Exploitability Score:
1.6
Vector:
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

References

Additional Info

Technical Analysis