Popular open-source e-mail application Roundcube v1. 2. 2 command execution vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201682391
Type myhack58
Reporter 佚名
Modified 2016-12-25T00:00:00


Description Roundcube is a widely used open source e-mail program, in the globe there are many organizations and companies are in use. In the past 1 years, the only SourceForge mirror file is downloaded more than 26 million, which also is only actual use in a population of a fraction. On the server to successfully install Roundcube, it will provide to the user a web interface, authenticated user can through a Web browser, email. In this article, we will look to the attacker is how to simply by Roundcube1. 2. 2(>=1.0)write e-mail, the bottom of theoperating systemto achieve arbitrary command execution. This is a high risk vulnerability due to the use of the default installation of Roundcube are affected, so we highly recommend to use Roundcube administrator as soon as possible to update to the 1. 2. 3 version. ! RIPS(an automated PHP code static analysis tool)took 25 seconds to complete the analysis of the entire application, detects the above chart demonstrated the security vulnerability. Although the chart lists many problems, but most are not too serious, because they belong to the install part of the module or legacy code. However, we still recommend patching these vulnerabilities, as well as the legacy code removed to prevent these code is unsafe or the use or other security breach to form a combined vulnerability. The above analysis results can be in our RIPS demo see. Note that in our analysis of the results shows only herein the vulnerability The exploit conditions Roundcube must be configured to use the PHP mail()function if you do not specify the SMTP is turned on by default) PHP mail()function configuration using sendmail, the default on Close the PHP configuration file in safe_mode by default on The attacker must know or guess the site's root directory absolute path The above conditions are easily reached, and, conversely, also means that the network exists in the vulnerability of the system a lot. Vulnerability description In Roundcube1. 2. 2 or earlier version, the user's input without the filter it is passed to the PHP built in function mail()the fifth parameter, which has proven to be a very high security risk. The root of the problem is that the mail()function call will cause PHP calls the sendmail program. The parameters allowed to be passed other parameters to configure sendmail. While sendmail also provides the-X option to the e-mail communication data is recorded to a file, the attacker can use this option in the site root directory create a malicious PHP file, the following code can trigger the vulnerability. program/steps/mail/sendmail. inc $from = rcube_utils::get_input_value(’_from’, rcube_utils::INPUT_POST, true, $message_charset); ⋮ $sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error, $mailbody_file, $smtp_opts); In the above code, access to the POST parameters _from value, and then passed to the deliver_message()method as the second parameter of the$from the call. program/lib/Roundcube/rcube.php public function deliver_message(&$message, $from, $mailto, &$error, &$body_file = null, $options = null) { ⋮ if (filter_var(ini_get(‘safe_mode’), FILTER_VALIDATE_BOOLEAN)) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail($to, $subject, $msg_body, $header_str, “-f$from”); The method then the$from parameter passed to mail()function. The purpose is to customize the from header by the-f option is passed to the sendmail program. The filter is not strict Funny thing, seem The from parameter has been the regular expression filter. In General, the$from parameter, no spaces, and it also makes the-f option the back can not be additional other parameters. Using a similar$IFS whitespace constant or injected into the new shell command`are unsuccessful. However, the application in the presence of one will lead to filter failure of the logic defective. program/steps/mail/sendmail. inc else if ($from_string = rcmail_email_input_format($from)) { if (preg_match(‘/(\S+@\S+)/‘, $from_string, $m)) $from = trim($m1, ‘); else $from = null; } In the 105 line, from the user's control of the$from variable contains no spaces in the extracted an e-mail. But only when rcmail_email_input_format()returns TRUE when successfully extracted. Next, we make the analysis under this function. program/steps/mail/sendmail. inc function rcmail_email_input_format($mailto, $count=false, $check=true) { global $RCMAIL, $EMAIL_FORMAT_ERROR, $RECIPIENT_COUNT; // simplified email regexp, supporting quoted local part $email_regexp = ‘(\S+|(”[^“]+”))@\S+‘; ⋮ // replace new lines and strip ending ‘, ‘, make address input more valid $mailto = trim(preg_replace($regexp, $replace, $mailto)); $items = rcube_utils::explode_quoted_string($delim, $mailto); $result = array(); foreach ($items as $item) { $item = trim($item); // address in brackets without name (do nothing) if (preg_match(‘/^$/’, $item)) { $item = rcube_utils::idn_to_ascii(trim($item, ‘)); $result[] = $item; } ⋮

[1] [2] next