Hackers actively scanning for Horde IMP Vulnerability

January 25, 2019

SonicWall Capture Labs Threat Research team has recently observed that attackers are actively exploiting Horde IMP vulnerability. Over 3,000 firewalls have been hit with 20,000+ requests in the last two days. Successful exploit could allow the attacker to execute arbitrary shell commands on the vulnerable systems.

Horde IMP:

Horde Groupware Webmail Edition is a free, enterprise ready, browser-based communication suite. It offers applications such as the Horde IMP email client, a groupware package (calendar, notes, tasks, file manager), a wiki and a time and task tracking software. It is written in PHP and provides all the elements required for rapid web application development.

Horde IMP (Internet Messaging Program), an application that comes with the Horde GroupWare is one of the popular and widely deployed open source webmail applications. It allows universal, web-based access to IMAP and POP3 mail servers in all possible browsers (desktop vs. mobile vs. tablet vs. text only).

Vulnerability:

Horde IMP exposes an unauthenticated debug page with a form that permits IMAP requests to arbitrary hosts. The debug page is at “http://horde_path/imp/test.php”. By leveraging the vulnerability (CVE 2018-19518) in imap_open function of PHP, unauthenticated remote attacker can execute arbitrary shell commands on a targeted system.


Fig 1: Snapshot from an active webmail that exposes the debug page

CVE 2018-19518:

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. PHP has bunch of functions to support IMAP out-of-box. This vulnerability exists in the ‘imap_open’ function, that is being used for opening an IMAP stream to a mailbox. It is due to the imap_open function improperly filters mailbox names before passing them to the rsh or ssh commands. If the rsh and ssh functionalities are enabled and the rsh command is a symbolic link to the ssh command, an attacker could exploit this vulnerability by sending a malicious IMAP server name containing a -oProxyCommand argument to the targeted system. A successful exploit could allow the attacker to bypass other disabled exec functions in the affected software, which the attacker could leverage to execute arbitrary shell commands on the targeted system.

Exploit:

In this exploit request, malicious IMAP server name containing a -oProxyCommand is sent to the targeted system.

res = requests.post(target,headers=new_headers,data=[(‘server’, anyname + ‘ -oProxyCommand=echo$IFS$()’ + cmd + ‘|base64$IFS$()-d|sh}’),
(‘port’,’143′),
(‘user’,’a’),
(‘passwd’,’a’),
(‘server_type’,’imap’),
(‘f_submit’,’Submit’)
])

Server name anyname + ‘ -oProxyCommand=echo$IFS$()’ + cmd + ‘|base64$IFS$()-d|sh gets passed to the ssh command without proper input validation. With the help of ProxyCommand, any command can be executed in the context of the user.

Trend Chart:

Find below the attempts made in the last 48 hours. 

Attacker IP’s:

Given below are some of the source IP’s from which the exploit requests have been sent

109.237.27.71
98.6.233.234
173.8.113.97
34.195.252.116
85.25.198.121
103.233.146.6
98.188.240.147
162.158.63.144
203.180.245.92
173.237.133.206
23.210.6.109
45.33.62.197
85.25.100.197
162.243.224.192
212.48.68.180
200.160.158.244
149.126.78.3
162.158.154.95
81.169.158.6
23.35.150.55
51.254.28.132
150.95.169.224
162.158.77.240
139.99.5.223
185.18.197.75
162.158.90.10

Fix:

Upgrade to the latest PHP version  to resolve the issue.
Check for vulnerable PHP versions here: https://www.securityfocus.com/bid/106018
Delete the debug page test.php ‘http://horde_path/imp/test.php’ after installation

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13996 Horde Imp Remote Code Execution 1
  • IPS: 13997  Horde Imp Remote Code Execution 2
  • IPS: 13998 Horde Imp Remote Code Execution 3
  • WAF: 1690 Horde Imp Remote Code Execution