php imap_open Remote Code Execution
The imap_open function within php, if called without the /norsh flag, will attempt to preauthenticate an IMAP session. On Debian based systems, including Ubuntu, rsh is mapped to the ssh binary. Ssh's ProxyCommand option can be passed from imap_open to execute arbitrary commands. While many custom applications may use imap_open, this exploit works against the following applications: e107 v2, prestashop, SuiteCRM, as well as Custom, which simply prints the exploit strings for use. Prestashop exploitation requires the admin URI, and administrator credentials. suiteCRM/e107/hostcms require administrator credentials.
- Anton Lopanitsyn
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/http/php_imap_open_rce msf exploit(php_imap_open_rce) > show targets ...targets... msf exploit(php_imap_open_rce) > set TARGET <target-id> msf exploit(php_imap_open_rce) > show options ...show and set options... msf exploit(php_imap_open_rce) > exploit