Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible exploit #4145

Closed
rcubetrac opened this issue Mar 27, 2013 · 5 comments
Closed

Possible exploit #4145

rcubetrac opened this issue Mar 27, 2013 · 5 comments
Labels
Milestone

Comments

@rcubetrac
Copy link

@rcubetrac rcubetrac commented Mar 27, 2013

Reported by webratz on 27 Mar 2013 14:31 UTC as Trac ticket #1489021

Just scrolled over in IRC, maybe worth to look at:

http://habrahabr.ru/post/174423/&act=url

(or translated: http:_translate.google.com.ua/translate?sl=ru&tl=en&prev=_t&hl=en&ie=UTF-8&eotf=1&u=http:_habrahabr.ru/post/174423/&act=url

Migrated-From: http://trac.roundcube.net/ticket/1489021

@rcubetrac

This comment has been minimized.

Copy link
Author

@rcubetrac rcubetrac commented Mar 27, 2013

Comment by webratz on 27 Mar 2013 14:39 UTC

quoting the page, just for future reference if it goes down:

There are many useful software, which is present on most hosts. For example, the de-facto standard is phpmyadmin, the lack of which the users will not understand or appreciate. 

To address this "default application" - roundcube. 

Today we talk about the vulnerability of zero-day, which gives the wrong hands all mail to your users 

Traditionally it is believed that such popular scripts do not contain any significant vulnerabilities. Yeah, maybe XSS, can CSRF, it is unpleasant, but it's hard exploited and escape serious data in most cases does not. 

We designed the shared-hosting with a full understanding of what our customers are extremely sensitive to any security breaches. There should be no obvious or potential threats. However, for some time, we observed a statistically significant increase in complaints about unauthorized access to FTP. 

Was checked everything - from Homeland Security, ending any options leakage through billing, from the users, etc. 

At some point it became clear that the leak is coming from the mail system, and most of all of her web part. 

Pattern of exploitation is extremely strange - attacker password from the database roundcube, through phpmyadmin pulls out session gets out of session passwords to mail. Moreover, the session roundcube encrypt, and thus have access to the encryption key. 

A flaw in part helped logging POST-queries: 

POST /?_task=settings&_action=save-pref&check_request=&_check_request= HTTP/1.1" 200 1133 "http://mail.ddos-guard.net/?_task=mail" "Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0" "_token=0f7c9ae8a387cb0bc5ce563fa09fe172&_session=generic_message_footer&_name=generic_message_footer&_value=config/db.inc.php

Local include. Attacker adds config / db.inc.php in the footer message and sends this letter myself. 
Left to figure out how is it that the latest stable version of roundcube does such an abomination. 

It is rather simple: 

index.php: 

else if ($RCMAIL->action == 'save-pref') { include INSTALL_PATH . 'program/steps/utils/save_pref.inc'; }



program / steps / utils / save_pref.inc: 

$name = get_input_value('_name', RCUBE_INPUT_POST); $value = get_input_value('_value', RCUBE_INPUT_POST); _ save preference value $RCMAIL->user->save_prefs(array($name => $value)); _ update also session if requested if ($sessname = get_input_value('_session', RCUBE_INPUT_POST)) { _ Support multidimensional arrays... $vars = explode('/', $sessname); _ ... up to 3 levels if (count($vars) == 1) $_SESSION[= $value; else if (count($vars) == 2) $_SESSION[$vars[0]($vars[0]])][= $value; else if (count($vars) == 3) $_SESSION[$vars[0]($vars[1]])][$vars[1]][$vars[2]] = $value; } $OUTPUT->reset(); $OUTPUT->send();



An attacker can overwrite any variable in the configuration and get any file readable by the runs as roundcube. 

The vulnerability is present in the most recent versions - roundcube 0.8.5 and 0.9-RC. 

The patch for the temporary plugging holes: 


diff --git a/index.php b/index.php index 8de8ca0..6470295 100644 --- a/index.php +++ b/index.php @@ -258,7 +258,8 @@ if ($RCMAIL->action == 'keep-alive') { $OUTPUT->send(); } else if ($RCMAIL->action == 'save-pref') { - include INSTALL_PATH . 'program/steps/utils/save_pref.inc'; + echo "Oops"; + die; }



It remains to note that roundcube present in CPanel, DirectAdmin, etc. In fact, this vulnerability affects most modern hosts. 

Good luck to you. Stay alert.
@rcubetrac

This comment has been minimized.

Copy link
Author

@rcubetrac rcubetrac commented Mar 27, 2013

Comment by @alecpl on 27 Mar 2013 16:07 UTC

Fixed in 648fcf5.

@rcubetrac

This comment has been minimized.

Copy link
Author

@rcubetrac rcubetrac commented Mar 27, 2013

Status changed by @alecpl on 27 Mar 2013 16:07 UTC

new => closed

@rcubetrac

This comment has been minimized.

Copy link
Author

@rcubetrac rcubetrac commented Mar 27, 2013

Milestone changed by @alecpl on 27 Mar 2013 16:07 UTC

later => 0.9-stable

@rcubetrac rcubetrac closed this Mar 27, 2013
@rcubetrac

This comment has been minimized.

Copy link
Author

@rcubetrac rcubetrac commented Mar 27, 2013

Comment by netguard on 27 Mar 2013 16:29 UTC

A little more informative description:

We have found zero-day vulnerability in latest versions of roundcube

'''
Vulnerability is extremely critical and can lead to users' passwords disclosure
Vulnerability is used in the wild for long time
'''

Here is an exploitation pattern:

Logged in user can override any config variable by save-prefs request
It's possible to override global_message_footer with any path in system
Attacker can set config/db.inc.php or config/main.inc.php there.

After doing this attacker can get full access to roundcube database and extract sessions.
Then it's a straightforward task to decrypt sessions and get users' passwords.

Here is a temporary workaround:

diff --git a/index.php b/index.php
index 8de8ca0..6470295 100644
--- a/index.php
+++ b/index.php
@@ -258,7 +258,8 @@ if ($RCMAIL->action == 'keep-alive') {
  $OUTPUT->send();
}
else if ($RCMAIL->action == 'save-pref') {
-  include INSTALL_PATH . 'program/steps/utils/save_pref.inc';
+  echo "Oops";
+  die;
}
@rcubetrac rcubetrac added this to the 0.9-stable milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.