Zero day vulnerability in roundcube
There are many different useful software that is present on most hosting sites. For example, the de-facto standard is phpmyadmin, the lack of which users will not understand and appreciate.
For mail, this “default app” is roundcube.
Today we will talk about the zero-day vulnerability, which gives the attacker all the mail of your users.
')
Traditionally it is believed that such popular scripts can not contain any significant vulnerabilities. Yes, perhaps XSS, maybe CSRF, this is unpleasant, but it is difficult to use and does not lead to serious data leakage in most cases.
We designed shared-hosting with the full understanding that our customers are extremely sensitive to any security breaches. There should be no obvious or potential threats. Nevertheless, for some time we have observed a statistically significant increase in complaints about unauthorized access to FTP.
Everything was checked - starting with internal security, ending with any variants of leaks through billing, from the users themselves, etc.
At some point it became clear that the leak comes from the mail system and most likely from its web part.
The exploitation pattern is extremely strange - the hacker gets the password from the roundcube database, phpmyadmin pulls out sessions from there, gets passwords from the sessions to the mail. Moreover, the roundcube session encrypts, and therefore there is access to the encryption key.
Partial logging of POST requests helped to find the vulnerability:
Local include. The cracker adds config / db.inc.php to the letter footer and sends this letter to himself.
It remains to find out how it turns out that the latest stable version of roundcube makes such an abomination.
Everything is quite simple:
index.php:
program / steps / utils / save_pref.inc:
The attacker can overwrite any variable in the configuration and get any file that can be read by the user under which the roundcube works.
Vulnerability is present in the latest versions - roundcube 0.8.5 and 0.9-RC.
Patch for temporary hole plugging:
It remains to be noted that roundcube is present in CPanel, DirectAdmin, etc. In fact, most modern hosting sites are vulnerable to this vulnerability.
I wish you happiness. Be carefull.
Update 03.28.2013
Patch from developers
Patches for other versions - http://sourceforge.net/news/?group_id=139281&id=310497
Version 0.8.6 fixing the vulnerability - http://roundcube.net/download
For mail, this “default app” is roundcube.
Today we will talk about the zero-day vulnerability, which gives the attacker all the mail of your users.
')
Traditionally it is believed that such popular scripts can not contain any significant vulnerabilities. Yes, perhaps XSS, maybe CSRF, this is unpleasant, but it is difficult to use and does not lead to serious data leakage in most cases.
We designed shared-hosting with the full understanding that our customers are extremely sensitive to any security breaches. There should be no obvious or potential threats. Nevertheless, for some time we have observed a statistically significant increase in complaints about unauthorized access to FTP.
Everything was checked - starting with internal security, ending with any variants of leaks through billing, from the users themselves, etc.
At some point it became clear that the leak comes from the mail system and most likely from its web part.
The exploitation pattern is extremely strange - the hacker gets the password from the roundcube database, phpmyadmin pulls out sessions from there, gets passwords from the sessions to the mail. Moreover, the roundcube session encrypts, and therefore there is access to the encryption key.
Partial logging of POST requests helped to find the vulnerability:
POST /?_task=settings&_action=save-pref&check_request=&_check_request= HTTP/1.1" 200 1133 "http://mail.ddos-guard.net/?_task=mail" "Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0" "_token=0f7c9ae8a387cb0bc5ce563fa09fe172&_session=generic_message_footer&_name=generic_message_footer&_value=config/db.inc.php
Local include. The cracker adds config / db.inc.php to the letter footer and sends this letter to himself.
It remains to find out how it turns out that the latest stable version of roundcube makes such an abomination.
Everything is quite simple:
index.php:
else if ($RCMAIL->action == 'save-pref') { include INSTALL_PATH . 'program/steps/utils/save_pref.inc'; } program / steps / utils / save_pref.inc:
$name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST); // save preference value $RCMAIL->user->save_prefs(array($name => $value)); // update also session if requested if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { // Support multidimensional arrays... $vars = explode('/', $sessname); // ... up to 3 levels if (count($vars) == 1) $_SESSION[$vars[0]] = $value; else if (count($vars) == 2) $_SESSION[$vars[0]][$vars[1]] = $value; else if (count($vars) == 3) $_SESSION[$vars[0]][$vars[1]][$vars[2]] = $value; } $OUTPUT->reset(); $OUTPUT->send(); The attacker can overwrite any variable in the configuration and get any file that can be read by the user under which the roundcube works.
Vulnerability is present in the latest versions - roundcube 0.8.5 and 0.9-RC.
Patch for temporary hole plugging:
diff --git a/index.php b/index.php index 8de8ca0..6470295 100644 --- a/index.php +++ b/index.php @@ -258,7 +258,8 @@ if ($RCMAIL->action == 'keep-alive') { $OUTPUT->send(); } else if ($RCMAIL->action == 'save-pref') { - include INSTALL_PATH . 'program/steps/utils/save_pref.inc'; + echo "Oops"; + die; } It remains to be noted that roundcube is present in CPanel, DirectAdmin, etc. In fact, most modern hosting sites are vulnerable to this vulnerability.
I wish you happiness. Be carefull.
Update 03.28.2013
Patch from developers
Patches for other versions - http://sourceforge.net/news/?group_id=139281&id=310497
Version 0.8.6 fixing the vulnerability - http://roundcube.net/download
Source: https://habr.com/ru/post/174423/
All Articles