Impact
The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dovecot.
The imapsync Perl script implements all the necessary functionality for this feature, including the XOAUTH2 authentication mechanism. This code path creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply include and execute additional shell commands. Notably, the default ACL for a newly-created mailcow account does not include the necessary permission.
Patches
The Issue has been fixed within the 2023-03 Update (March 3rd 2023).
Workarounds
As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from creating or changing existing Syncjobs.
Reproduction
Create a poc.txt Example:
- Log in at the mailcow GUI with a Sync Job permission user.
- Click Create a new job sync.
- Use the following information:
Host: imap.gmail.com
Port: 993
Encryption: SSL
Username: test
Password: 123;bla;blub;touch /tmp/poc.txt;
Custom parameters: --authmech1=XOAUTH2
- Check the Active checkbox only and create the sync job.
- Wait for the sync job to fail and open the associated logs.
- Observe that the injected touch command will be executed and a poc.txt has been created
cure53 Analyst
Impact
The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dovecot.
The imapsync Perl script implements all the necessary functionality for this feature, including the XOAUTH2 authentication mechanism. This code path creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply include and execute additional shell commands. Notably, the default ACL for a newly-created mailcow account does not include the necessary permission.
Patches
The Issue has been fixed within the 2023-03 Update (March 3rd 2023).
Workarounds
As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from creating or changing existing Syncjobs.
Reproduction
Create a poc.txt Example: