Open source webmail provider Roundcube has released an update that addresses a critical vulnerability in all default configurations that could allow an attacker to run arbitrary code on the host operating system.
The flaw is serious because it’s relatively simple to exploit and can allow an attacker to access email accounts or move deeper onto the network.
Researchers at RIPS Technologies, a German company specializing in PHP application security analysis, privately disclosed the bug Nov. 21. Roundcube had the vulnerability fixed on Github a day later, and made an updated version publicly available Nov. 28. Versions 1.0 to 1.2.2 are vulnerable, and users are advised to update to 1.2.3.
In a report published Tuesday, RIPS researcher Robin Peraglie explained how default Roundcube conditions create four conditions that enable successful exploits: Roundcube is configured to use PHP mail() and mail() is configured to use sendmail and have safe_mode turned off by default; an attacker must also know the absolute path of the webroot, Peraglie said.
“All requirements are met by default,” RIPS chief security officer Hendrik Buchwald told Threatpost. “If you just install Roundcube you are vulnerable. You have to actively change the configuration to be not vulnerable. So it is very common, there are probably tens to hundreds of thousands installations that meet these requirements.”
The vulnerability happens because Roundcube fails to properly sanitize user input in the fifth parameter of PHP mail().
“This allows an attacker to modify the command line options of the program that is used to send emails,” Buchwald said.
Peraglie explained in the report that an attacker may abuse the flaw to drop a malicious PHP file in the webroot directory of the web server.
“To exploit this vulnerability the attacker needs an email account on the target system, because he has to write an email to trigger it. Either he already has an account (e.g. organization, company, university, free email provider…) or he steals the login (e.g. dictionary attack, trojans…),” Buchwald said. “All that he has to do is to write an email and set a certain ‘from’ address. This allows him to create arbitrary files on the target system. If the attacker can create PHP files, he can execute system commands. From there on he can reach other systems in the network, read emails of
everyone else and the like.”
Peraglie said that despite the vigilant community working to secure Roundcube (year-to-date there have been more than 221,000 downloads of Roundcube from Sourceforge), a fifth parameter vulnerability is fairly rare.
“It is a rare vulnerability, because the fifth parameter of mail() is not used very often and as such there are not many known cases in widespread software where it is used wrongly,” Buchwald said.