Listen to this Post
How CVE-2022-31031 works
Net::IMAP’s generic argument handling safely encodes strings as atoms, quoted, or literals. However, methods like search, uid_search, fetch, uid_fetch, store, uid_store, and `setquota` convert specific String arguments into Net::IMAP::RawData, bypassing validation and encoding. This raw data is printed directly to the socket without neutralization. If an attacker controls the string (e.g., a search query or fetch attribute), they can inject CRLF (\r\n) sequences followed by arbitrary IMAP commands. For example, a user‑supplied search term `”INBOX\r\n DELETE INBOX”` would send two IMAP commands: the original SEARCH and a malicious DELETE. The `setquota` method interpolates the `limit` argument directly, also enabling injection. Because developers may not expect these arguments to be sent raw (especially `attr` in `fetch` and `uid_fetch` where documentation was insufficient), they often pass unvalidated input, leading to command injection.
dailycve form
Platform: Ruby net-imap
Version: <0.2.2,<0.3.1
Vulnerability: CRLF injection
Severity: Medium
Date: 2022-06-30
Prediction: Patch date 2022-07-01
What Undercode Say:
Check vulnerable version
gem list net-imap | grep net-imap
Simulate injection in search
ruby -r net/imap -e '
imap = Net::IMAP.new("imap.example.com")
imap.login("user", "pass")
Attacker controlled input
inject = "INBOX\r\n DELETE INBOX"
imap.search(inject)
'
Exploit:
Attacker sends search string `”INBOX\r\n A002 DELETE INBOX”` → server executes `A002 DELETE INBOX` after the original SEARCH. No authentication bypass, but allows mailbox deletion, message flag changes, or folder creation if the IMAP session has sufficient privileges.
Protection from this CVE
Update net-imap to >=0.2.2 (Ruby 2.6‑2.7) or >=0.3.1 (Ruby 3.0+). Validate user inputs by stripping `\r` and \n. Prefer array‑based search criteria (["SUBJECT", "safe"]). For setquota, use `KernelInteger(limit)` to coerce and reject CRLF. Avoid passing raw strings to fetch, store, and their UID variants.
Impact
Command injection enabling arbitrary IMAP command execution. An attacker can delete mailboxes, mark messages as deleted, set quotas, or manipulate folders. Combined with CSRF or shared mail folders, privileges may escalate. Applications that dynamically build search queries (e.g., webmail clients, archival tools) are at highest risk. Does not directly exfiltrate data but can cause data loss or server state corruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
