Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability in Password Plugin #4757

Closed
rcubetrac opened this issue Feb 4, 2015 · 5 comments
Closed

Security Vulnerability in Password Plugin #4757

rcubetrac opened this issue Feb 4, 2015 · 5 comments

Comments

@rcubetrac
Copy link

Reported by noamr on 4 Feb 2015 18:18 UTC as Trac ticket #1490261

Description

Roundcube 1.0.4 is shipped with the Password plugin version 3.4. It is, as any other plugin, disabled by default.
Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose,
the plugin offers several drivers that can be used to perform the actual password change in the back end.

The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute
arbitrary system commands with root privileges.

Configuration

To enable the Password plugin, add the following line to Roundcube's config file
roundcubemail-1.0.4/config/config.inc.php:

    $config[= array('password');

To use the DBMail driver, add the following line to the Password plugin config file
roundcubemail-1.0.4/plugins/password/config.inc.php:

    $config['password_driver']('plugins']) = 'dbmail';

A list of activated plugins is shown in the "About" page in the web interface (/?_task=settings&_action=about). A new
password can be configured under Settings -> Password.

Affected Code Lines

roundcubemail-1.0.4/plugins/password/password.php

 41     class password extends rcube_plugin { 
 95         public function password_save() {  
116             $newpwd = rcube_utils::get_input_value('_newpasswd', rcube_utils::INPUT_POST, true);    // user input
154             $this->_save($curpwd, $newpwd);  

241         private function _save($curpass, $passwd) {  
244             $driver = $config->get('password_driver', 'sql');   // get driver (dbmail)  
245             $class  = "rcube_{$driver}_password";
270             $object = new $class;                               // new dbmail
271             $object->save($curpass, $passwd);

roundcubemail-1.0.4/plugins/password/drivers/dbmail.php

 18     class rcube_dbmail_password { 
 20         public function save($currpass, $newpass) {   
 26             exec("{$curdir}/chgdbmailusers -c {$username} -w {$newpass} {$args}", $output, $returnvalue);  // VULN

Exploit

In line 26 of the dbmail.php driver, the new password entered by the user is not sanitized against injecting shell meta
characters. Thus, by providing the new password "sleep 3" or ";sleep 3;" (without ""), the system command "sleep 3"
will be executed on the targeted web server. Moreover, the chgdbmailusers program shipped with the Password plugin is
run with root privileges:

roundcubemail-1.0.4/plugins/password/helpers/chgdbmailusers.c

 5      // set the UID this script will run as (root user)
 6      #define UID 0
 7      #define CMD "/usr/sbin/dbmail-users"
 8
16      main(int argc, char *argv[ int cnt,rc,cc;
19        char cmnd[255](])
17      {
18      );
20  
21        strcpy(cmnd, CMD);
22  
23        if (argc > 1)
24        {
25          for (cnt = 1; cnt < argc; cnt++)
26          {
27            strcat(cmnd, " ");
28            strcat(cmnd, argv[cnt]);
29          }
30        }
36  
37        cc = setuid(UID);
38        rc = system(cmnd);

Note, that this program also has a buffer overflow vulnerability in line 28 when a password or username longer than 255
characters is used by an attacker.

Keywords: security vulnerability
Migrated-From: http://trac.roundcube.net/ticket/1490261

@rcubetrac
Copy link
Author

Comment by @alecpl on 5 Feb 2015 10:28 UTC

Fixed in 7c96646.

@rcubetrac
Copy link
Author

Status changed by @alecpl on 5 Feb 2015 10:28 UTC

new => closed

@rcubetrac
Copy link
Author

Milestone changed by @alecpl on 5 Feb 2015 10:28 UTC

later => 1.1.0

@rcubetrac
Copy link
Author

Comment by noamr on 5 Feb 2015 10:30 UTC

Hi,

Do you plan on releasing an advisory to report this vulnerability as being there and fixed?

@rcubetrac
Copy link
Author

Comment by noamr on 9 Mar 2015 05:28 UTC

For the shell-executing vulnerability use CVE-2015-2180
For multiple buffer overflows use CVE-2015-2181

@rcubetrac rcubetrac added this to the 1.1.0 milestone Mar 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant