Vulnerabilities > CVE-2016-9920 - Improper Access Control vulnerability in Roundcube Webmail
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_125F5958B61111E6A9A5B499BAEBFEAF.NASL description The Roundcube project reports steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. last seen 2020-06-01 modified 2020-06-02 plugin id 95393 published 2016-11-29 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95393 title FreeBSD : Roundcube -- arbitrary command execution (125f5958-b611-11e6-a9a5-b499baebfeaf) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(95393); script_version("3.4"); script_cvs_date("Date: 2018/11/21 10:46:31"); script_cve_id("CVE-2016-9920"); script_bugtraq_id(94858); script_name(english:"FreeBSD : Roundcube -- arbitrary command execution (125f5958-b611-11e6-a9a5-b499baebfeaf)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The Roundcube project reports steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message." ); # http://www.openwall.com/lists/oss-security/2016/12/08/17 script_set_attribute( attribute:"see_also", value:"https://www.openwall.com/lists/oss-security/2016/12/08/17" ); script_set_attribute( attribute:"see_also", value:"https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123" ); # https://vuxml.freebsd.org/freebsd/125f5958-b611-11e6-a9a5-b499baebfeaf.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f79968e0" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:roundcube"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/29"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"roundcube<1.2.3,1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2016-D361D188D9.NASL description **Version 1.2.3** - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail() last seen 2020-06-05 modified 2016-12-12 plugin id 95688 published 2016-12-12 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95688 title Fedora 25 : roundcubemail (2016-d361d188d9) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-d361d188d9. # include("compat.inc"); if (description) { script_id(95688); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-9920"); script_xref(name:"FEDORA", value:"2016-d361d188d9"); script_name(english:"Fedora 25 : roundcubemail (2016-d361d188d9)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Version 1.2.3** - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail()'s 5th argument - Fix To: header encoding in mail sent with mail() method (#5475) - Fix flickering of header topline in min-mode (#5426) - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447) - Fix decoding of GB2312/GBK text when iconv is not installed (#5448) - Fix regression where creation of default folders wasn't functioning without prefix (#5460) - Enigma: Fix bug where last records on keys list were hidden (#5461) - Enigma: Fix key search with keyword containing non-ascii characters (#5459) - Fix bug where deleting folders with subfolders could fail in some cases (#5466) - Fix bug where IMAP password could be exposed via error message (#5472) - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452) - Fix 'Illegal string offset' warning in rcube::log_bug() on PHP 7.1 (#5508) - Fix storing 'empty' values in rcube_cache/rcube_cache_shared (#5519) - Fix missing content check when image resize fails on attachment thumbnail generation (#5485) - Fix displaying attached images with wrong Content-Type specified (#5527) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-d361d188d9" ); script_set_attribute( attribute:"solution", value:"Update the affected roundcubemail package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:roundcubemail"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"roundcubemail-1.2.3-1.fc25")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "roundcubemail"); }NASL family Fedora Local Security Checks NASL id FEDORA_2016-60753C3DCD.NASL description **Version 1.2.3** - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail() last seen 2020-06-05 modified 2016-12-14 plugin id 95780 published 2016-12-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95780 title Fedora 24 : roundcubemail (2016-60753c3dcd) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-60753c3dcd. # include("compat.inc"); if (description) { script_id(95780); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-9920"); script_xref(name:"FEDORA", value:"2016-60753c3dcd"); script_name(english:"Fedora 24 : roundcubemail (2016-60753c3dcd)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Version 1.2.3** - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail()'s 5th argument - Fix To: header encoding in mail sent with mail() method (#5475) - Fix flickering of header topline in min-mode (#5426) - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447) - Fix decoding of GB2312/GBK text when iconv is not installed (#5448) - Fix regression where creation of default folders wasn't functioning without prefix (#5460) - Enigma: Fix bug where last records on keys list were hidden (#5461) - Enigma: Fix key search with keyword containing non-ascii characters (#5459) - Fix bug where deleting folders with subfolders could fail in some cases (#5466) - Fix bug where IMAP password could be exposed via error message (#5472) - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452) - Fix 'Illegal string offset' warning in rcube::log_bug() on PHP 7.1 (#5508) - Fix storing 'empty' values in rcube_cache/rcube_cache_shared (#5519) - Fix missing content check when image resize fails on attachment thumbnail generation (#5485) - Fix displaying attached images with wrong Content-Type specified (#5527) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-60753c3dcd" ); script_set_attribute( attribute:"solution", value:"Update the affected roundcubemail package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:roundcubemail"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC24", reference:"roundcubemail-1.2.3-1.fc24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "roundcubemail"); }NASL family Fedora Local Security Checks NASL id FEDORA_2016-B4896F20B3.NASL description **Version 1.2.3** - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail() last seen 2020-06-05 modified 2016-12-14 plugin id 95783 published 2016-12-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95783 title Fedora 23 : roundcubemail (2016-b4896f20b3) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2016-b4896f20b3. # include("compat.inc"); if (description) { script_id(95783); script_version("3.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2016-9920"); script_xref(name:"FEDORA", value:"2016-b4896f20b3"); script_name(english:"Fedora 23 : roundcubemail (2016-b4896f20b3)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**Version 1.2.3** - Searching in both contacts and groups when LDAP addressbook with group_filters option is used - Fix vulnerability in handling of mail()'s 5th argument - Fix To: header encoding in mail sent with mail() method (#5475) - Fix flickering of header topline in min-mode (#5426) - Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447) - Fix decoding of GB2312/GBK text when iconv is not installed (#5448) - Fix regression where creation of default folders wasn't functioning without prefix (#5460) - Enigma: Fix bug where last records on keys list were hidden (#5461) - Enigma: Fix key search with keyword containing non-ascii characters (#5459) - Fix bug where deleting folders with subfolders could fail in some cases (#5466) - Fix bug where IMAP password could be exposed via error message (#5472) - Fix bug where it wasn't possible to store more that 2MB objects in memcache/apc, Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452) - Fix 'Illegal string offset' warning in rcube::log_bug() on PHP 7.1 (#5508) - Fix storing 'empty' values in rcube_cache/rcube_cache_shared (#5519) - Fix missing content check when image resize fails on attachment thumbnail generation (#5485) - Fix displaying attached images with wrong Content-Type specified (#5527) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-b4896f20b3" ); script_set_attribute( attribute:"solution", value:"Update the affected roundcubemail package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:roundcubemail"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/08"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/14"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC23", reference:"roundcubemail-1.2.3-1.fc23")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "roundcubemail"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-44.NASL description The remote host is affected by the vulnerability described in GLSA-201612-44 (Roundcube: Arbitrary code execution) Roundcube, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line. Impact : An authenticated remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : Don’t use a MTA (Mail Transfer Agent) in conjunction with Roundcube which implements sendmail’s “-O” or “-X” parameter, or configure Roundcube to use a SMTP server as recommended by upstream. last seen 2020-06-01 modified 2020-06-02 plugin id 96124 published 2016-12-27 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96124 title GLSA-201612-44 : Roundcube: Arbitrary code execution code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201612-44. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(96124); script_version("$Revision: 3.1 $"); script_cvs_date("$Date: 2016/12/27 14:30:01 $"); script_cve_id("CVE-2016-9920"); script_xref(name:"GLSA", value:"201612-44"); script_name(english:"GLSA-201612-44 : Roundcube: Arbitrary code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201612-44 (Roundcube: Arbitrary code execution) Roundcube, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line. Impact : An authenticated remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : Don’t use a MTA (Mail Transfer Agent) in conjunction with Roundcube which implements sendmail’s “-O” or “-X” parameter, or configure Roundcube to use a SMTP server as recommended by upstream." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201612-44" ); script_set_attribute( attribute:"solution", value: "All Roundcube users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/roundcube-1.2.3'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:roundcube"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"mail-client/roundcube", unaffected:make_list("ge 1.2.3"), vulnerable:make_list("lt 1.2.3"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Roundcube"); }
Seebug
| bulletinFamily | exploit |
| description | 中文分析:http://paper.seebug.org/138/ Author: p0wd3r, LG (知道创宇404安全实验室) [Roundcube](https://www.roundcube.net/) is a widely distributed open-source webmail software used by many organizations and companies around the globe. The mirror on SourceForge, for example, counts more than 260,000 downloads in the last 12 months1 which is only a small fraction of the actual users. Once Roundcube is installed on a server, it provides a web interface for authenticated users to send and receive emails with their web browser. In this post, we show how a malicious user can remotely execute arbitrary commands on the underlying operating system, simply by writing an email in Roundcube 1.2.2 (>= 1.0). This vulnerability is highly critical because all default installations are affected. We urge all administrators to update the Roundcube installation to the latest version 1.2.3 as soon as possible. ### RIPS Analysis It took RIPS exactly 25 seconds to fully analyze the whole application and to detect the security vulnerabilities shown in the charts above. Although it seems that the issues come in numbers, many of them turned out to be less severe because they were parts of the installation module or of dead legacy code. Regardless, it is adviced to also fix these vulnerabilities and to remove the dead code in order to prevent future unsafe use or combinations with other security bugs, as demonstrated in earlier posts of our advent calendar. The truncated analysis results are available in our RIPS demo application. Please note that we limited the results to the issues described in this post in order to ensure a fix is available. [See RIPS report](https://demo.ripstech.com/project/10/) ### Requirements The vulnerability has the following requirements for exploitation: * Roundcube must be configured to use PHP’s `mail()` function (by default, _if no SMTP was specified_ <sup class="footnote-ref" id="fnref:1">[2](#fn:1)</sup> ) * PHP’s `mail()` function is configured to use sendmail (by default, see _sendmail_path_ <sup class="footnote-ref" id="fnref:2">[3](#fn:2)</sup> ) * PHP is configured to have `safe_mode` turned off (by default, see _safe_mode_ <sup class="footnote-ref" id="fnref:3">[4](#fn:3)</sup> ) * An attacker must know or guess the absolute path of the webroot These requirements are not particular demanding which in turn means that there were a lot of vulnerable systems in the wild. ### Description In Roundcube 1.2.2 and earlier, user-controlled input flows unsanitized into the fifth argument of a call to PHP’s built-in function `mail()` which is documented as [critical](https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/) in terms of security. The problem is that the invocation of the `mail()` function will cause PHP to execute the sendmail program. The fifth argument allows passing additional parameters to this execution which allows a configuration of sendmail. Since sendmail offers the `-X` option to log all mail traffic in a file, an attacker can abuse this option and spawn a malicious PHP file in the webroot directory of the attacked server. Although this vulnerability is rare and not widely known, RIPS detected it within seconds. The following code lines trigger the vulnerability. #### program/steps/mail/sendmail.inc ``` $from = rcube_utils::get_input_value(’_from’, rcube_utils::INPUT_POST, true, $message_charset); ⋮ $sent = $RCMAIL->deliver_message($MAIL_MIME, $from, $mailto,$smtp_error, $mailbody_file, $smtp_opts); ``` Here, the value of the POST parameter `_from` is fetched and Roundcube’s `deliver_message()` method is invoked with the value used as second argument `$from`. #### program/lib/Roundcube/rcube.php ``` public function deliver_message(&$message, $from, $mailto, &$error, &$body_file = null, $options = null) { ⋮ if (filter_var(ini_get(‘safe_mode’), FILTER_VALIDATE_BOOLEAN)) $sent = mail($to, $subject, $msg_body, $header_str); else $sent = mail($to, $subject, $msg_body, $header_str, “-f$from”); ``` This method will then pass the `$from` parameter to a call of the `mail()` function. The idea is to pass a custom `from` header to the sendmail program via the `-f` option. ### Insufficient Sanitization An interesting part is that it seems as if the `from` e-mail address is filtered beforehand with a regular expression. Basically, the `$from` parameter is expected to have no whitespaces which would limit the possibility to attach other parameters behind the `-f` parameter. Using whitespace constants such as `$IFS` or injecting new shell commands ``` does not succeed at this point. However, there is a logical flaw in the application that causes the sanitization to fail. #### program/steps/mail/sendmail.inc ``` else if ($from_string = rcmail_email_input_format($from)) { if (preg_match(‘/(\S+@\S+)/‘, $from_string, $m)) $from = trim($m1, ‘<>‘); else $from = null; } ``` In line 105, an email is extracted from the user-controlled variable `$from` that containts no whitespaces. However, this extraction only takes place when the `rcmail_email_input_format()` function returns a value equivalent to TRUE. In the following, we will examine this function closely. #### program/steps/mail/sendmail.inc ``` function rcmail_email_input_format($mailto, $count=false, $check=true) { global $RCMAIL, $EMAIL_FORMAT_ERROR, $RECIPIENT_COUNT; // simplified email regexp, supporting quoted local part $email_regexp = ‘(\S+|(”[^“]+”))@\S+‘; ⋮ // replace new lines and strip ending ‘, ‘, make address input more valid $mailto = trim(preg_replace($regexp, $replace, $mailto)); $items = rcube_utils::explode_quoted_string($delim, $mailto); $result = array(); foreach ($items as $item) { $item = trim($item); // address in brackets without name (do nothing) if (preg_match(‘/^<‘.$email_regexp.‘>$/’, $item)) { $item = rcube_utils::idn_to_ascii(trim($item, ‘<>‘)); $result[] = $item; } ⋮ else if (trim($item)) { continue; } ⋮ } if ($count) { $RECIPIENT_COUNT += count($result); } return implode(‘, ‘, $result); } ``` The function uses another regular expression in line 863 which requires that the line ends (`$`) right after the email match. A payload used by an attacker does not have to match this regex and therefore the array `$result` will stay empty after the `foreach` loop. In this case, the `implode()` function in line 876 will return an empty string (equal to FALSE) and the `$from` variable is **not** altered nor sanitized. ### Proof of Concept When an email is sent with Roundcube, the HTTP request can be intercepted and altered. Here, the `_from` parameter can be modified in order to place a malicious PHP file on the file system. ``` [email protected] -OQueueDirectory=/tmp -X/var/www/html/rce.php ``` This allows an attacker to spawn a shell file _rce.php_ in the web root directory with the contents of the `_subject` parameter that can contain PHP code. After performing the request, a file with the following content is created: ``` 04731 >>> Recipient names must be specified 04731 <<< To: squinty@localhost 04731 <<< Subject: <?php phpinfo(); ?> 04731 <<< X-PHP-Originating-Script: 1000:rcube.php 04731 <<< MIME-Version: 1.0 04731 <<< Content-Type: text/plain; charset=US-ASCII; 04731 <<< format=flowed 04731 <<< Content-Transfer-Encoding: 7bit 04731 <<< Date: So, 20 Nov 2016 04:02:52 +0100 04731 <<< From: [email protected] -OQueueDirectory=/tmp 04731 <<< -X/var/www/html/rce.php 04731 <<< Message-ID: <390a0c6379024872a7f0310cdea24900@localhost> 04731 <<< X-Sender: [email protected] -OQueueDirectory=/tmp 04731 <<< -X/var/www/html/rce.php 04731 <<< User-Agent: Roundcube Webmail/1.2.2 04731 <<< 04731 <<< Funny e-mail message 04731 <<< [EOF] ``` Since the email data is unencoded, the subject parameter will be reflected in plaintext which allows the injection of PHP tags into the shell file. ### Time Line | Date | What | | --- | --- | | 2016/11/21 | First contact with vendor | | 2016/11/22 | [Vendor fixes vulnerability on GitHub](https://github.com/roundcube/roundcubemail/commit/f84233785ddeed01445fc855f3ae1e8a62f167e1) | | 2016/11/28 | Vendor agrees to coordinated disclosure | | 2016/11/28 | [Vendor releases updated version Roundcube 1.2.3](https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released) | ### Summary Roundcube 1.2.2 is resistant against many attack vectors and a large community works on the software continuously together securing the application. However, the vulnerability described in this post could slip through and is an edge-case due to its rarity. With the aid of automated testing, it is not only possible to detect such edge-cases, but it allows to save human resources and therefore focus on different aspects in the development process of a secure web application. We would like to thank the Roundcube team for the very quick fix after just one day, and the new release made available only after one week! This is a very impressive and professional response towards security issues. |
| id | SSV:92570 |
| last seen | 2017-11-19 |
| modified | 2016-12-08 |
| published | 2016-12-08 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-92570 |
| title | Roundcube 1.2.2: Command Execution via Email |