IMAP Toolkit 2007f, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1654230]
This can not affect PHP packages provided for Red Hat Enterprise Linux 7, either directly via Red Hat Enterprise Linux 7, or via Red Hat Software Collections for Red Hat Enterprise Linux 7, as those packages do not include the affected imap extension.
In Red Hat Enterprise Linux 6, the php-imap package providing the imap extension is only distributed via the unsupported Optional repository.
The PHP packages included in the Red Hat Software Collections for Red Hat Enterprise Linux 6 provide imap extension (again packages in the *-php-imap sub-packages). However, the extension requires libc-client package (IMAP client implementation, which is part of the the UW IMAP project), which is only available via unsupported Optional repository for Red Hat Enterprise Linux 6.
The above commit includes the following addition to the UPGRADING documentation file:
Starting with 7.2.13, rsh/ssh logins are disabled by default. Use
imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
library does not filter mailbox names before passing them to rsh/ssh
command, thus passing untrusted data to this function with rsh/ssh enabled
This fix is being added to PHP 7.2.13, 7.1.25, 7.0.33, and 5.6.38.
The UW IMAP c-client library, which is used by the PHP imap extension, tries multiple methods when requested to connect to an IMAP server. Those methods include an attempt to establish rsh or ssh connection to the server and starting an IMAP daemon in a pre-authenticated mode. When constructing these rsh or ssh commands, the library does not attempt to sanitize provided server name in any way, which makes it possible to inject additional options to these commands, which can eventually lead to arbitrary command execution, e.g. when setting ProxyCommand for ssh.
The c-client library builds in Red Hat Enterprise Linux and Fedora only define default path for the rsh command. There is no default path specified for the ssh command. Due to that ssh is not used unless path to the command is explicitly configured, which can be done by adding 'set ssh-path /usr/bin/ssh' to /etc/c-client.cf configuration file, or to ~/.imaprc if support for user configuration files is enabled in the global system configuration. Such configuration is not default on Red Hat Enterprise Linux or Fedora, and does not seem very likely either.
This flaw was reported to have a worse impact on Debian and Ubuntu systems, where rsh is a symlink to ssh by default. Hence when the c-client attempts to execute rsh, the ssh is actually executed. As noted above, there's no special configuration required for rsh to be executed, it only depends on the provided connection string.
On Red Hat Enterprise Linux, rsh can be executed if it is installed. Malicious IMAP server name can be used to inject additional rsh command line options, but the rsh command only accepts very few options, none of which allows command execution in a similar way to ssh's ProxyCommand. It is possible to achieve code execution via ssh command if ssh-path is configured as noted above.
Lowering impact rating, as on Red Hat Enterprise Linux affected configurations are unlikely.
Not all uses of the PHP imap extension are affected, even when using untrusted server names. These can also provide mitigation to affected configurations.
* The c-client library will not use rsh or ssh when /norsh flag is specified in the mailbox name argument to the imap_open() function. See PHP documentation for more details on how flags are specified: http://php.net/manual/en/function.imap-open.php
* rsh/ssh is also not used when /ssl or /tls flags are specified, or when port is explicitly specified.
* Proper validation of server names can be used to prevent this flaw. However, addition of /norsh flag as noted above is likely to be an easier fix in most cases.
* If imap extension is not needed, remove all installed php-imap packages.