Skip to content

Shell command injection via xoauth2 authentication in imapsync​

High
DerLinkman published GHSA-3j2f-wf52-cjg7 Mar 3, 2023

Package

IMAPSYNC (mailcow-dockerized)

Affected versions

< 2023-03

Patched versions

>= 2023-03

Description

Impact

The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dovecot.

The imapsync Perl script implements all the necessary functionality for this feature, including the XOAUTH2 authentication mechanism. This code path creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply include and execute additional shell commands. Notably, the default ACL for a newly-created mailcow account does not include the necessary permission.

Patches

The Issue has been fixed within the 2023-03 Update (March 3rd 2023).

Workarounds

As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from creating or changing existing Syncjobs.

Reproduction

Create a poc.txt Example:

  1. Log in at the mailcow GUI with a Sync Job permission user.
  2. Click Create a new job sync.
  3. Use the following information:
Host: imap.gmail.com
Port: 993
Encryption: SSL
Username: test
Password: 123;bla;blub;touch /tmp/poc.txt;
Custom parameters: --authmech1=XOAUTH2
  1. Check the Active checkbox only and create the sync job.
  2. Wait for the sync job to fail and open the associated logs.
  3. Observe that the injected touch command will be executed and a poc.txt has been created

Severity

High

CVE ID

CVE-2023-26490

Weaknesses

Credits