PHP imap_open Exploit

Security researchers have discovered a zero-day vulnerability in PHP's imap_open command that could allow an authenticated attacker to achieve Remote Code Execution.

Threat ID:: CC-2801
Category:: exploit
Threat Severity:: Low
Threat Vector:: Vulnerability
Published:: 20 November 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have discovered a zero-day vulnerability in PHP's imap_open command that could allow an authenticated attacker to achieve Remote Code Execution.

Affected platforms

The following platforms are known to be affected:

Apache HTTP Server

PHP applications using the imap_open command, particularly when hosted on Debian-based operating systems including Ubuntu

Threat details

When the imap_open command is called without the 'norsh' flag, it will attempt to authenticate an IMAP session. Debian-based operating systems map Remote Shell (RSH) to the Secure Shell (SSH) executable. SSH includes the ProxyCommand option, which provides a vector for arbitrary commands to be executed from imap_open. This bypasses any disabled exec commands in PHP.

Proof of concept code has been published that can be adapted to exploit this vulnerability with a variety of PHP applications.

Remediation steps

Type	Step
	At the time of publication, no updates have been released to address this vulnerability. The only known mitigation is either sanitising any user input passed to imap_open, or disabling the imap_open command in PHP altogether.

Last edited: 17 February 2020 1:01 pm