Summary
A vulnerability in Roundcube’s markasjunk plugin allows attackers that send a specially crafted identity email address to cause the plugin to execute arbitrary code.
Credit
An independent security researcher, Selim Enes Karaduman, working with SSD Secure Disclosure.
Affected Devices
Roundcube version 1.6.1 and prior (with markasjunk plugin enabled)
Technical Analysis
Roundcube’s markasjunk plugin comes as part of Roundcube’s core codebase, there is no need for an external installation, the only requirement is for the administrator of the Roundcube to configure it.
After configuring the “markasjunk” plugin, if some markasjunk settings are configured in a specific way, an RCE possible by any user using Roundcube.
Vulnerable Configuration
1. cmd_learn should be configured in plugins/markasjunk/config.inc.php$config['markasjunk_learning_driver'] = "cmd_learn";
2. markasjunk_spam_cmd must be set with “%i” format setting in in plugins/markasjunk/config.inc.php$config['markasjunk_spam_cmd'] = "salearn %i";
From this point, any arbitrary command can be triggered as long as it contains the %i, this is caused due to lack of filtering.
The vulnerability can be triggered by any Roundcube user who can change his email identity as well as mark an email as junk, both being trivial requirements.
Technical Analysis
The command injection lies in _do_salearn() in plugins/markasjun/drivers/cmd_learn.php file.
This function is executed whenever an email is moved to a junk folder from webapp interface.
if $config['markasjunk_spam_cmd'] contains “%i”, line 59 will be executed:
$command = str_replace('%i', $identity['email'], $command);
$identity['email'] comes from the identity email of a user which can be changed via the settings->identities (webpanel).
The command itself will be executed on line 102:$output = shell_exec($tmp_command);
For example if a user’s normal identity email is: admin@roundcube.com and is changed to: admin&touch${IFS}test.txt&@roundcube.com
The _do_salean() will call the following line when processing the email:
salearn admin&touch${IFS}test.txt&@roundcube.com
And this will create the test.txt
Fix suggestion
Other formats like “%s”, “%f” are filtered with escapeshellarg(), we believe %i is forgotten because no one did think an email address can be used for command injection but it is possible.
plugins/markasjun/drivers/cmd_learn.php:59
Patch
- $command = str_replace('%i', $identity['email'], $command);
+ $command = str_replace('%i', escapeshellarg($identity['email']), $command);
