Low
CVE-2018-19518
CVE-2018-19518
Description
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a “-oProxyCommand” argument.
Add Assessment
Technical Analysis
The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh’s ProxyCommand option can be passed from imap_open to execute arbitrary commands.
The execution flow of this, on Debian systems is as such:
- PHP
imap_openviarsh
rshaliased tossh
- SSH’s
ProxyCommandRCE
There were some other nuances, such as not allowing spaces ($IFS$() is OK). Typical execution of this at the SSH side was to base64 encode the payload and pipe it to bash: "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`".
The trick is finding where a webapp calls the imap_open functionality. Typically this is in a higher privileged part of the webapp, since it could be destructive (such as disabling notifications). Some webapps seem to include the function call, but never call the function which uses it (maybe there for plugins to use?).
CVSS V3 Severity and Metrics
General Information
Vendors
- canonical,
- debian,
- php,
- uw-imap project
Products
- debian linux 8.0,
- debian linux 9.0,
- php,
- ubuntu linux 16.04,
- ubuntu linux 18.04,
- ubuntu linux 19.04,
- uw-imap 2007f
Metasploit Modules
References
Advisory
Miscellaneous
