[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] PHP imap_open() script injection
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2018-11-25 13:30:06
Message-ID: 20181125133006.GA3680 () eldamar ! local
[Download RAW message or body]

Hi,

On Thu, Nov 22, 2018 at 09:02:14PM +0100, Hanno Böck wrote:
> Hi,
> 
> This was apparently posted on some russian forum recently and then
> re-posted to github:
> https://antichat.com/threads/463395/#post-4254681
> https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
> 
> PoC code:
> $server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
> imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());
> 
> It's pretty self explaining, it seems imap_open() will pass things to
> ssh and this is vulnerable to a shell injection.
> 
> Impact would be mostly relevant if someone has some imap functionality
> where a user can define a custom imap server. (Though it might also be
> used as a bypass for environments where exec() and similar functions
> are restricted.)
> 
> I reported it to upstream PHP a few days ago, it was closed as a
> duplicate, so it seems they already knew about it. It's unfixed in
> current versions.

CVE-2018-19518 has been assigned by MITRE for this issue.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]