CVE-2018-19518

PHP imap_open - Remote Code Execution

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

La versión 2007f de University of Washington IMAP Toolkit en UNIX, tal y como se utiliza en imap_open() en PHP y otros productos, lanza un comando rsh (por medio de la función imap_rimap en c-client/imap4r1.c y la función tcp_aopen en osdep/unix/tcp_unix.c) sin prevenir una inyección de argumentos. Esto podría permitir a los atacantes remotos ejecutar comandos arbitrarios del sistema operativo si el nombre del servidor IMAP son entradas no fiables (por ejemplo, si son introducidos por un usuario de una aplicación web) y si rsh ha sido reemplazado por un programa con semánticas de argumentos diversas. Por ejemplo, si rsh es un enlace a ssh (como es el caso de los sistemas Debian y Ubuntu), el ataque puede utilizar un nombre del servidor IMAP que contenga un argumento "-oProxyCommand".

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-11-25 CVE Reserved
2018-11-25 CVE Published
2019-01-14 First Exploit
2024-04-17 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CAPEC

References (21)

URL	Tag	Source
http://www.securityfocus.com/bid/106018	Broken Link
http://www.securitytracker.com/id/1042157	Broken Link
https://bugs.debian.org/913775	Mailing List
https://bugs.debian.org/913835	Mailing List
https://bugs.debian.org/913836	Mailing List
https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=e5bfea64c81ae34816479bb05d17cdffe45adddb	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2018/12/msg00006.html	Mailing List
https://lists.debian.org/debian-lts-announce/2019/03/msg00001.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/12/msg00031.html	Mailing List
https://security.netapp.com/advisory/ntap-20181221-0004	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/45914	2024-08-05
https://github.com/ensimag-security/CVE-2018-19518	2019-01-14
https://antichat.com/threads/463395/#post-4254681	2024-08-05
https://bugs.php.net/bug.php?id=76428	2024-08-05
https://bugs.php.net/bug.php?id=77153	2024-08-05
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php	2024-08-05
https://www.openwall.com/lists/oss-security/2018/11/22/3	2024-08-05

URL	Date	SRC

URL	Date	SRC
https://bugs.php.net/bug.php?id=77160	2023-11-07
https://security.gentoo.org/glsa/202003-57	2023-11-07
https://usn.ubuntu.com/4160-1	2023-11-07
https://www.debian.org/security/2018/dsa-4353	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 5.6.0 <= 5.6.38 Search vendor "Php" for product "Php" and version " >= 5.6.0 <= 5.6.38"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 7.0.0 <= 7.0.32 Search vendor "Php" for product "Php" and version " >= 7.0.0 <= 7.0.32"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 7.1.0 <= 7.1.24 Search vendor "Php" for product "Php" and version " >= 7.1.0 <= 7.1.24"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 7.2.0 <= 7.2.12 Search vendor "Php" for product "Php" and version " >= 7.2.0 <= 7.2.12"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Uw-imap Project Search vendor "Uw-imap Project"		Uw-imap Search vendor "Uw-imap Project" for product "Uw-imap"				2007f Search vendor "Uw-imap Project" for product "Uw-imap" and version "2007f"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected