Reported by noamr on 4 Feb 2015 18:18 UTC as Trac ticket #1490261
Description
Roundcube 1.0.4 is shipped with the Password plugin version 3.4. It is, as any other plugin, disabled by default.
Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose,
the plugin offers several drivers that can be used to perform the actual password change in the back end.
The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute
arbitrary system commands with root privileges.
Configuration
To enable the Password plugin, add the following line to Roundcube's config file
roundcubemail-1.0.4/config/config.inc.php:
$config[= array('password');
To use the DBMail driver, add the following line to the Password plugin config file
roundcubemail-1.0.4/plugins/password/config.inc.php:
A list of activated plugins is shown in the "About" page in the web interface (/?_task=settings&_action=about). A new
password can be configured under Settings -> Password.
Affected Code Lines
roundcubemail-1.0.4/plugins/password/password.php
41 class password extends rcube_plugin {
95 public function password_save() {
116 $newpwd = rcube_utils::get_input_value('_newpasswd', rcube_utils::INPUT_POST, true); // user input
154 $this->_save($curpwd, $newpwd);
241 private function _save($curpass, $passwd) {
244 $driver = $config->get('password_driver', 'sql'); // get driver (dbmail)
245 $class = "rcube_{$driver}_password";
270 $object = new $class; // new dbmail
271 $object->save($curpass, $passwd);
18 class rcube_dbmail_password {
20 public function save($currpass, $newpass) {
26 exec("{$curdir}/chgdbmailusers -c {$username} -w {$newpass} {$args}", $output, $returnvalue); // VULN
Exploit
In line 26 of the dbmail.php driver, the new password entered by the user is not sanitized against injecting shell meta
characters. Thus, by providing the new password "sleep 3" or ";sleep 3;" (without ""), the system command "sleep 3"
will be executed on the targeted web server. Moreover, the chgdbmailusers program shipped with the Password plugin is
run with root privileges:
5 // set the UID this script will run as (root user)
6 #define UID 0
7 #define CMD "/usr/sbin/dbmail-users"
8
16 main(int argc, char *argv[ int cnt,rc,cc;
19 char cmnd[255](])
17 {
18 );
20
21 strcpy(cmnd, CMD);
22
23 if (argc > 1)
24 {
25 for (cnt = 1; cnt < argc; cnt++)
26 {
27 strcat(cmnd, " ");
28 strcat(cmnd, argv[cnt]);
29 }
30 }
36
37 cc = setuid(UID);
38 rc = system(cmnd);
Note, that this program also has a buffer overflow vulnerability in line 28 when a password or username longer than 255
characters is used by an attacker.
Reported by noamr on 4 Feb 2015 18:18 UTC as Trac ticket #1490261
Description
Roundcube 1.0.4 is shipped with the Password plugin version 3.4. It is, as any other plugin, disabled by default.
Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose,
the plugin offers several drivers that can be used to perform the actual password change in the back end.
The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute
arbitrary system commands with root privileges.
Configuration
To enable the Password plugin, add the following line to Roundcube's config file
roundcubemail-1.0.4/config/config.inc.php:
To use the DBMail driver, add the following line to the Password plugin config file
roundcubemail-1.0.4/plugins/password/config.inc.php:
A list of activated plugins is shown in the "About" page in the web interface (/?_task=settings&_action=about). A new
password can be configured under Settings -> Password.
Affected Code Lines
roundcubemail-1.0.4/plugins/password/password.php
roundcubemail-1.0.4/plugins/password/drivers/dbmail.php
Exploit
In line 26 of the dbmail.php driver, the new password entered by the user is not sanitized against injecting shell meta
characters. Thus, by providing the new password "
sleep 3" or ";sleep 3;" (without ""), the system command "sleep 3"will be executed on the targeted web server. Moreover, the chgdbmailusers program shipped with the Password plugin is
run with root privileges:
roundcubemail-1.0.4/plugins/password/helpers/chgdbmailusers.c
Note, that this program also has a buffer overflow vulnerability in line 28 when a password or username longer than 255
characters is used by an attacker.
Keywords: security vulnerability
Migrated-From: http://trac.roundcube.net/ticket/1490261
The text was updated successfully, but these errors were encountered: