php imap_open RCE #10987
php imap_open RCE #10987
Conversation
| } | ||
| }) | ||
|
|
||
| /form method="post" action="index\.php\?controller=AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body |
There was a problem hiding this comment.
This way of using regular match seems to confuse me, I am not sure it is better than
res.body =~/form method="post" action="index\.php\?controller=AdminCustomerThreads&token=(?<token>\w{32})/ ?
|
Jenkins test this please |
|
Added suiteCRM today. As description update says, this is OK to land now. New PRs can be added as people find time to write in the other systems. |
|
e107 is now exploitable. Note it is a special case where |
|
Great share there @h00die ! I was wondering if there are some 3rd party softwares you've identified that uses php imap_open with no authentication required? This would be very critical. Thanks |
|
There's 108,000 lines of PHP code which reference "imap_open(": https://github.com/search?q=%22imap_open%28%22&type=Code |
|
After clicking through all of HostCMS, I'm not seeing where the admin can enter the IMAP info. I believe it has the core plumbing there, simply for use by add-on modules. I'm going to abandon it for now. |
|
@syrius01 I created a new target "custom" (no docs yet) which can be used similar to |
|
Looks like freescout-helpdesk only accepts itself, so not exploitable https://github.com/freescout-helpdesk/freescout/blob/52c763849ea1e73ced39b960d1e95fb06d264473/vendor/webklex/laravel-imap/src/IMAP/Client.php#L455 |
|
Added "Custom" target, and finished documenting it, so you can now get the string to use, and have a listener for attempts to exploit custom apps, similar to I'm most likely done now. I updated the description to incorporate all the additional findings. |
|
Wow, this is nice! I'm going to go ahead and get it into master so folks can take advantage of it. Sounds like plenty to add over time. |
Release NotesThe exploits/linux/http/php_imap_open_rce module has been added to the framework. This exploits the PHP imap_open call against various web apps, allowing for remote code execution. |
|
Based on your notes, @h00die , I am presuming you were testing the very latest PHP, PHP 7.3.0RC6 , or at least something close enough that this functionality is quite likely to be present there. In any event, the 7.3 release branch doesn't mention imap_open at all in the UPGRADING notes, so I'm assuming it's untouched. |
|
@todb-r7 I think I only tested 7.0 but will check a little later and confirm the version and try the latest and post back |
|
And @busterb just found this CVE listing: https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-19518 Which says the bug is in U of W IMAP Toolkit, whatever that is, not PHP, which seems incorrect. Hmm. Will let DWF sort it out. |
|
Also original PHP bug report from months ago: https://bugs.php.net/bug.php?id=76428 |
|
Got a CVE from DWF: CVE-2018-1000859 I can edit up the module nowish to mention it. |
|
Thanks @todb-r7 that would be great. I think I may have a new target soon but can't start till my laptop gets fixed (hoping to get parts in today). |
See discussion on rapid7#10987. Now that I said that out loud, I realize that the original PR for this module is a really funny PR number.
Saw this: https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395
PHP's
imap_opencall on Debian based systems can potentially be passed a parameter that is given torshwhich is mapped toSSH, which allows for RCE.I only coded based on the forum, I didn't discover this exploit or conribute to it in any way, all credit goes to twoster
Apps Reported Vulnerable:
instantcms(https://github.com/instantsoft/icms2/search?q=imap_open&unscoped_q=imap_open)imap_openin source codeHostCMS(https://github.com/HostCMS/hostcms6.free/blob/1d54bdefcd6c28918cb09dd7cb6aea404879b93f/modules/core/mail/imap.php#L140)Additional Apps Possible Vulnerable:
This is fine to land now, its VERY time consuming to install the CMS, figure out where the vuln is, write the exploit with all the darn nuances of every CMS and no core libraries (not that i think any should be added). When I get time i'll add them to here until it lands. After that i'll just make new PRs.
@todb-r7 I didn't see a CVE, but maybe you have more insight? According to https://danwin1210.me this was leaked on Nov 14th.
Verification
See docs