Skip to content

ly1g3/Mailcow-CVE-2022-31138

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Mailcow CVE-2022-31138

RCE and Domain Admin privilege escalation for Mailcow. POC for CVE-2022-31245 can be modified to work with this vulnerability.

Reported and fixed: 2022-06

Code Injection, RCE

Type: Code Injection (CWE-94), RCE, Domain Takeover
Affected versions: least 2019 - 2022-06a

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using perl code injection in arbitrary regex field in imapsync. Using this exploit a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on latest release as of 2022-06a.

Technical overview

Almost all regex expressions in imapsync is evaluated using the eval function, this is highly unsafe when parameters are given by user-input. As a example, here is how --regexmess is parsed in imapsync (line 14213):

sub regexmess
{
        my ( $string ) = @_ ;
        foreach my $regexmess ( @regexmess ) {
                $sync->{ debug } and myprint( "eval \$string =~ $regexmess\n" ) ;
                my $ret = eval "\$string =~ $regexmess ; 1" ;

In Mailcow $regexmess is given as user-input.

The following imapsync flags (could be more) can be used to achieve code execution:

--regexmess
--skipmess
--regexflag
--delete2foldersonly
--delete2foldersbutnot
--regextrans2

Using the steps below the vulnerability can be recreated.

Gaining shell:

  1. Go to the Mailcow login page (not SOGo)
  2. Login as a regular user
  3. Go to Sync Jobs
  4. Set the following values: hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --regexmess=PERL_CODE Where the field "Custom Parameters" is the important field. PERL_CODE can be arbitrary perl code.
  5. Press save and wait 1 min for the command to execute.

Custom Parameters example payload:

--debug --nosslcheck --regexmess=`touch\x{0020}test.txt`

PERL_CODE cannot contain space,quotes or slashes, use \x{0020} instead of space. Use ` to run shell commands.

Privilege Escalation:

Follow the same steps as in CVE-2022-31245.

About

Mailcow CVE-2022-31138

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published