[Imap-uw] UW IMAP 2007f security

Tue, 16 Apr 2019 15:03:09 -0700 

I don't recall seeing this mentioned on this list.
   https://nvd.nist.gov/vuln/detail/CVE-2018-19518
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
This CVE was published in November.  It just came to my attention now and I'm trying to understand whether there is an actual exploit possible against the UW-IMAP server (versus only against other programs that might use the UW IMAP toolkit in a way that is unsafe). 


The description of the Metasploit exploit for this does NOT mention 
UW-IMAP as a vulnerable application, nor is it described as not vulnerable.



Has anyone else looked at this in detail and can give us some guidance 
as to what you've found.
What I'm hoping for is an analysis that confirms or denies this 
vulnerability for the UW-IMAP server.


----------

When looking around, I saw these other pages about ways one might attack 
IMAP.

This is NOT a comprehensive list.  Just what I ran across.

Testing for command injection
https://www.owasp.org/index.php/Testing_for_IMAP/SMTP_Injection_(OTG-INPVAL-011)
  http://www.webappsec.org/projects/articles/121106.pdf

https://www.offensive-security.com/metasploit-unleashed/Simple-imap-fuzzer/ 
(see Surgemail below)

1997 vulnerability
  https://www.secureroot.com/security/advisories/9640307342.html
2003 vulnerability
  https://securiteam.com/unixfocus/5XP0N0095W/
2002-2005 two vulnerabilities in UW-imap
https://www.cvedetails.com/product/1956/University-Of-Washington-Uw-imap.html?vendor_id=55
2004-2012 vulnerabilities in Surgemail (at least some IMAP related)
https://www.cvedetails.com/vulnerability-list/vendor_id-448/product_id-4436/Netwin-Surgemail.html
  https://www.cvedetails.com/product-list/vendor_id-448/Netwin.html


_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman13.u.washington.edu/mailman/listinfo/imap-uw














    











					Reply via email to