8.5
CVSSv2

CVE-2018-19518

Published: 25/11/2018 Updated: 24/08/2020
CVSS v2 Base Score: 8.5 | Impact Score: 10 | Exploitability Score: 6.8
CVSS v3 Base Score: 7.5 | Impact Score: 5.9 | Exploitability Score: 1.6
VMScore: 892
Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

Vulnerability Summary

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote malicious users to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

php php

debian debian linux 8.0

debian debian linux 9.0

uw-imap project uw-imap 2007f

Vendor Advisories

Debian Bug report logs - #913775 php73-imap: CVE-2018-19518: imap_open() function command injection Package: php73-imap; Maintainer for php73-imap is Debian PHP Maintainers <team+pkg-php@trackerdebianorg>; Source for php73-imap is src:php73 (PTS, buildd, popcon) Reported by: rhns <vulns@rhnseu> Date: Thu, 15 ...
UW IMAP could be made to execute programs if it received specially crafted input ...
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1c and the tcp_aopen function in osdep/unix/tcp_unixc) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if t ...
IBM has released the following fixes for IBM Lotus Protector for Mail Security in response to CVE-2018-19518 ...
ext/imap/php_imapc in PHP 5x and 7x before 730 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function(CVE-2018-19935 ) University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launc ...
Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: The EXIF module was susceptible to denial of service/information disclosure when parsing malformed images, the Apache module allowed cross-site-scripting via the body of a "Transfer-Encoding: chunked" request and the IMAP extension performed in ...
Oracle Solaris Third Party Bulletin - January 2019 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Criti ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4353-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff December 10, 2018 wwwdebianorg/security/faq ...

Metasploit Modules

php imap_open Remote Code Execution

The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107 require administrator credentials. Fixed in php 5.6.39.

msf > use exploit/linux/http/php_imap_open_rce
      msf exploit(php_imap_open_rce) > show targets
            ...targets...
      msf exploit(php_imap_open_rce) > set TARGET <target-id>
      msf exploit(php_imap_open_rce) > show options
            ...show and set options...
      msf exploit(php_imap_open_rce) > exploit

Github Repositories

some works on CVE-2018-19518

CVE-2018-19518 last rapport here : gitlabcom/ensimag-security/CVE-2018-19518/-/jobs/artifacts/master/raw/rapportpdf?job=PDF Usage run app docker-compose up -d example normal usage for the web app imap : webmailgrenoble-inporg user : prenomnom@grenoble-inporg password : xxx exploit using echo '1234567890'&gt;/tmp/test0001 POST / HTTP/11 Host: yo

Dorks for Google, Shodan and BinaryEdge

Dorks are cool Dorks for Google, Shodan and BinaryEdge Only for use on bug bounty programs or in cordination with a legal security assesment I am in no way responsible for the usage of these search queries Be responsible thanks - wwwbugcrowdcom/resource/what-is-responsible-disclosure/ This repository is "under construction" feel free to make pull requests

python-poc

poc--exp 个人常用渗透poc收集 CVE-2014-4113 Win64bit本地提权漏洞 CVE-2014-4878 海康RCE漏洞 CVE-2017-0143 永恒之蓝漏洞 CVE-2017-0474 安卓MediaserverRCE CVE-2017-0641 Google Android Media framework远程代码执行漏洞 CVE-2017-11882 office远程执行漏洞 CVE-2017-13156 安卓janus漏洞 CVE-2017-5753 intel侧信道攻击漏洞 CVE-2017-7269

常用渗透poc收集

poc--exp 个人常用渗透poc收集 CVE-2014-4113 Win64bit本地提权漏洞 CVE-2014-4878 海康RCE漏洞 CVE-2017-0143 永恒之蓝漏洞 CVE-2017-0474 安卓MediaserverRCE CVE-2017-0641 Google Android Media framework远程代码执行漏洞 CVE-2017-11882 office远程执行漏洞 CVE-2017-13156 安卓janus漏洞 CVE-2017-5753 intel侧信道攻击漏洞 CVE-2017-7269

pigat ( Passive Intelligence Gathering Aggregation Tool ) 被动信息收集聚合工具

Pigat:一款被动信息收集聚合工具 前言 Pigat(Passive Intelligence Gathering Aggregation Tool)被动信息收集聚合工具,该工具通过爬取目标URL在第三方网站比如备案查询网站、子域名查询网站的结果来对目标进行被动信息收集。 开发此工具的初衷就是平时在使用一些第三方的网站进行目标信息收

Pigat:一款被动信息收集聚合工具 前言 Pigat(Passive Intelligence Gathering Aggregation Tool)被动信息收集聚合工具,该工具通过爬取目标URL在第三方网站比如备案查询网站、子域名查询网站的结果来对目标进行被动信息收集。 开发此工具的初衷就是平时在使用一些第三方的网站进行目标信息收

PoC in GitHub 2020 CVE-2020-0014 It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable This could lead to a local escalation of privilege with no additional execution privileges needed User action is needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Android-10Android ID: A-1286745

PoC auto collect from GitHub.

PoC in GitHub 2020 CVE-2020-0022 In reassemble_and_dispatch of packet_fragmentercc, there is possible out of bounds write due to an incorrect bounds calculation This could lead to remote code execution over Bluetooth with no additional execution privileges needed User interaction is not needed for exploitationProduct: AndroidVersions: Android-80 Android-81 Android-9 Andr