Active Scans for Roundcube Vulnerabilities, Possible 0-Day

Published: 2009-01-09
Last Updated: 2009-01-09 22:27:23 UTC
by Lenny Zeltser (Version: 4)
3 comment(s)

Scans for vulnerabilities in Roundcube, popular web mail software, seem to be on the rise. We reported two vulnerabilities in this popular software in the past month.

According to a report we received today, scans for problems in Roundcube's msgimport feature are very active (see earlier diary). According to @lbhuston of twitter, this might be the same vulnerability announced on Help Net Security in December. For additional details about scans for this vulnerability, look at the the posting  at the MSI :: State of Security blog. For another data point, see the list of systems that, according to @codewolf on Twitter, are scanning him for Roundcube vulnerabilities.

The other vulnerability is in the html2text.php file (CVE-2008-5619), and is probably being targeted too (see earlier diary). There is a fix to the html2text.php problem, but I don't think the msgimport issue has a patch.

Update 1: Here are examples of Web server access logs that show recent attempts to exploit msgimport:

66.154.97.57 - - [09/Jan/2009:04:31:36 +0000] "GET /nonexistenshit HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
8.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 391 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /bin/msgimport HTTP/1.1" 404 386 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /rc/bin/msgimport HTTP/1.1" 404 389 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 396 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
58.215.88.10 - - [09/Jan/2009:09:01:13 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 391 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"

Update 2: Steven Adair from Shadowserver noticed two additional user agent strings being used by the scanners:

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
Toata dragostea mea pentru diavol (this one was reported in our earlier diary)

Also, thanks to Ken for mentioning in the comments that Emerging Threats has Snort rules to alert on these activities. According to Ken, search emerging rules for SIDs 2008990 and 2008991.

Update 3: Nathan shared with us a few pointers to Roundtube developer discussions of the msgimport vulnerability. "Based on http://lists.roundcube.net/mail-archive/dev/2009-01/0000055.html it seems versions prior to 0.2-alpha are vulnerable." Additional messages on the list: 1, 2. "They appears to be providing little information publicly about the exploit but appear to have acknowledged it."
 

-- Lenny

Lenny Zeltser
Security Consulting - Savvis, Inc.

Lenny teaches a SANS course on analyzing malware.

 

Keywords:
3 comment(s)

Comments

Emerging Threats (www.emergingthreats.net) has snort rules that alert on these. See http://www.emergingthreats.net/rules/emerging.rules for SIDs 2008990 and 2008991
I've been watching these scans in my logs, and the first thing I notice is that the scans send the target IP address as the HTTP 'Host' request header. Therefore if name-based virtual hosts are used in Apache HTTPD, only the 'default' host (typically the first one defined in the config.) would be scanned, which would limit its impact to mostly dedicated servers, rather than shared hosting.

As an experiment I responded to one of the /bin/msgimport requests with a document that should have simulated the output of that script executing without parameters. The only thing the worm did differently was to then try a POST to /bin/html2text.php which is one of the previously reported vulnerabilities. So it seems so far that the 'msgimport.sh' script is queried only as a means to determine the presence of a Roundcube installation; this doesn't appear to be a new exploit targetted at 'msgimport.sh'.

I notice Roundcube SVN commit R-2225 disables access to the scripts in /bin/ as precaution, which seems sensible. If the ExecCGI option was enabled for /bin/ for some reason, I suspect those scripts could be abused, although I haven't really investigated.
We keep noticing two such scanners in the logs:

1. The \"Toata\" one. This is the one that Steven mentioned. It typically uses \"GET HTTP/1.1 HTTP/1.1\" as a first request.
First seen here on Dec 19th, 02:31 UTC, average rate is only about 1/day in two monitored IP ranges.

2. Currently much more active is the one that uses \"GET /nonexistenshit HTTP/1.1\" as a first request,
and apparently only the Mozilla given above as a User Agent. Starting Jan 8th, 05:04 UTC, this one appears from some 30 different IPs/day.

Both of them go for IPs, not names.

Diary Archives