cve/2018/CVE-2018-19518.md

### [CVE-2018-19518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19518)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a user of a web application) and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an IMAP server name containing a "-oProxyCommand" argument.

### POC

#### Reference
- https://antichat.com/threads/463395/#post-4254681
- https://bugs.debian.org/913775
- https://bugs.debian.org/913835
- https://bugs.debian.org/913836
- https://www.exploit-db.com/exploits/45914/
- https://www.openwall.com/lists/oss-security/2018/11/22/3

#### Github
- https://github.com/0xT11/CVE-POC
- https://github.com/ARPSyndicate/cvemon
- https://github.com/C-starm/PoC-and-Exp-of-Vulnerabilities
- https://github.com/HacTF/poc--exp
- https://github.com/SexyBeast233/SecBooks
- https://github.com/avboy1337/Vulnerabilities
- https://github.com/bb33bb/Vulnerabilities
- https://github.com/ensimag-security/CVE-2018-19518
- https://github.com/houqe/EXP_CVE-2018-19518
- https://github.com/jiangsir404/POC-S
- https://github.com/syadg123/pigat
- https://github.com/teamssix/pigat
- https://github.com/wateroot/poc-exp
- https://github.com/wrlu/Vulnerabilities