SSD Adivsory – Roundcube Password Plugin

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Roundcube webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking.
Vulnerability Details
Roundcube 1.0.4 is shipped with the Password plugin version 3.4. It is, as any other plugin, disabled by default. Once enabled, it allows an authenticated user to change his current password in the web interface. For this purpose, the plugin offers several drivers that can be used to perform the actual password change in the back end. The DBMail driver suffers from a critical Remote Command Execution vulnerability that enables an attacker to execute arbitrary system commands with root privileges.


Configuration
To enable the Password plugin, add the following line to Roundcube’s config file roundcubemail-1.0.4/config/config.inc.php:

$config['plugins'] = array('password');

To use the DBMail driver, add the following line to the Password plugin config file roundcubemail-1.0.4/plugins/password/config.inc.php:

$config['password_driver'] = 'dbmail';

A list of activated plugins is shown in the “About” page in the web interface (/?_task=settings&_action=about). A new password can be configured under Settings -> Password.
Affected Code Lines
Inside the roundcubemail-1.0.4/plugins/password/password.php file you can see the following vulnerable code:

  class password extends rcube_plugin {
   public function password_save() {
    $newpwd = rcube_utils::get_input_value('_newpasswd', rcube_utils::INPUT_POST, true);  // user input
    $this->_save($curpwd, $newpwd);
   private function _save($curpass, $passwd) {
    $driver = $config->get('password_driver', 'sql'); // get driver (dbmail)
    $class  = "rcube_{$driver}_password";
    $object = new $class;         // new dbmail
    $object->save($curpass, $passwd);

Inside the roundcubemail-1.0.4/plugins/password/drivers/dbmail.php file you can see the following vulnerable code:

  class rcube_dbmail_password {
   public function save($currpass, $newpass) {
     exec("{$curdir}/chgdbmailusers -c {$username} -w {$newpass} {$args}", $output, $returnvalue);  // VULN

Exploit
In line 26 of the dbmail.php driver, the new password entered by the user is not sanitized against injecting shell meta characters. Thus, by providing the new password “sleep 3” or “;sleep 3;” (without “”), the system command “sleep 3” will be executed on the targeted web server. Moreover, the chgdbmailusers program shipped with the Password plugin is run with root privileges: roundcubemail-1.0.4/plugins/password/helpers/chgdbmailusers.c
[pastacode lang=”c” message=”” highlight=”” provider=”manual”]

  // set the UID this script will run as (root user)
  #define UID 0
  #define CMD "/usr/sbin/dbmail-users"
  main(int argc, char *argv[])
  {
    int cnt,rc,cc;
    char cmnd[255];
    strcpy(cmnd, CMD);
    if (argc > 1)
    {
   for (cnt = 1; cnt < argc; cnt++)
   {
     strcat(cmnd, " ");
     strcat(cmnd, argv[cnt]);
   }
    }
    cc = setuid(UID);
    rc = system(cmnd);

Note, that this program also has a buffer overflow vulnerability in line 28 when a password or username longer than 255 characters is used by an attacker.
Vendor Response
Roundcube has released a patch for this vulnerability.
CVE
Two CVEs have been assigned to these vulnerabilities, CVE-2015-2180 and CVE-2015-2181

?

Get in touch