[CVE-2008-5619] [CVE-2008-5620] - Roundcube vulnerable and actively exploited

Thanks for taking the time to report this bug and helping to make Ubuntu
better. Since the package referred to in this bug is in universe or multiverse,
it is community maintained. If you are able, I suggest posting a debdiff for
this issue. When a debdiff is available, members of the security team will
review it and publish the package. See the following link for more information:
https://wiki.ubuntu.com/SecurityUpdateProcedures

Sorry, I'm not sure if I can provide a debdiff, because I've never done that before. Just in case there is somebody with a little more expertise sitting out there. The changeset is here: http://trac.roundcube.net/changeset/2162 The update notice here: http://sourceforge.net/forum/forum.php?forum_id=898542

I've added the Debian Bug link. There is another security related bug fixed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=509596. The changeset mentioned above covers both.

A few things, CVE 2008-5619 states "html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. " These versions have never entered Ubuntu.

I think you mean, CVE-2008-5620:

"RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image. "

This is already been fixed in Jaunty (by way of Debian):

roundcube (0.1.1-10) unstable; urgency=high

  * Fix a vulnerability in quota image generation. This fixes
    CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
  * Add description to all patches.
  * Add missing ${misc:Depends} to debian/control.
  * Add missing dependency on php5-gd, used for quota bar.

Also, a sync to version 0.2~stable-1 has been approved in Bug #331220

All that said, CVE-2008-5620 does effect previous Ubuntu releases. Thanks for taking the time to point this out.

Opening release specific tasks, so that the fix can be backported. Most importantly to the LTS release.

Patch from Debian for 2008-5620

> CVE 2008-5619 states "html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. " These versions have never entered Ubuntu.

I think, this is an incomplete description in the CVE. It must mean *up to* version 0.2-1.alpha and 0.2-3.beta.

The vulnerable code in program/lib/html2text.inc is present in the hardy package as well, and in the German community forum there was a user, whose server got compromised via this attack vector, and who was using roundcube version 0.1-rc1.

http://forum.ubuntuusers.de/topic/was-ist-wssh/ (German)

You're right. Attached are fixes for both CVEs for intrepid and hardy.

Please review

I'm afraid, but I that doesn't seem to work. (hardy-fix.debdiff)

~/src/roundcube-0.1~rc2$ patch -p1 < ../hardy-fix.debdiff
patching file debian/control
patching file debian/changelog
patching file debian/control.in
patching file debian/patches/series
patching file debian/patches/cve-2008-5619.patch
patching file debian/patches/cve-2008-5620.patch
~/src/roundcube-0.1~rc2$

I suspect, that the mistake has something to do with those additional plus signs at the beginning of each line:

+--- roundcube-0.1.1.orig/program/lib/html2text.inc 2009-02-19 23:54:37.000000000 -0500
++++ /dev/null 1970-01-01 00:00:00.000000000 +0000
+@@ -1,451 +0,0 @@
+-<?php
+-

I also don't understand the references to /dev/null.
+-/*************************************************************************
+-* *
+-
....

On Fri, Feb 20, 2009 at 6:35 AM, otzenpunk
<email address hidden> wrote:
> I'm afraid, but I that doesn't seem to work. (hardy-fix.debdiff)
>
> ~/src/roundcube-0.1~rc2$ patch -p1 < ../hardy-fix.debdiff
> patching file debian/control
> patching file debian/changelog
> patching file debian/control.in
> patching file debian/patches/series
> patching file debian/patches/cve-2008-5619.patch
> patching file debian/patches/cve-2008-5620.patch
> ~/src/roundcube-0.1~rc2$
>
> I suspect, that the mistake has something to do with those additional
> plus signs at the beginning of each line:
>
> +--- roundcube-0.1.1.orig/program/lib/html2text.inc 2009-02-19 23:54:37.000000000 -0500
> ++++ /dev/null 1970-01-01 00:00:00.000000000 +0000
> +@@ -1,451 +0,0 @@
> +-<?php
> +-
>
> I also don't understand the references to /dev/null.
> +-/*************************************************************************
> +-* *
> +-
> ....
>
> --
> CVE-2008-5620- Roundcube vulnerable and actively exploited
> https://bugs.launchpad.net/bugs/316550
> You received this bug notification because you are a direct subscriber
> of the bug.
>

Those are are patches to the Ubuntu source packages. The packages use
a patch system (quilt) for patching the upstream source. The source
isn't being patched directly. It is done at build time.

Hi,

my machine has been hacked using this exploit as well. It is incomprehensible to me how a well-known exploit that was reported as "exploited widely" over one month ago still isn't fixed in Ubuntu.

Some more info for the (probably many) others involved:
Typically, the attacker downloads a tool such as a connect back backdoor using this exploit. E.g. php-reverse-shell or Data Cha0s Connect Back Backdoor. The machines are then used as botnet zombies, using a bot like emech.

Some more info about the attack can be found in /var/log/apache2/error.log where you can see the wget output of the initial backdoor download. Of course, if the attacker later on successfully applies a local root exploit, he can remove all traces easily.

bye,
Till

roundcube is not commercially supported by Canonical. The 'how' is lack of
community people working on security patches. More volunteers are always
welcome.

Andrew, thanks for yours patches. I just reviewed them and the patch for CVE-2008-5619 is extremely invasive and does not seem to go along with Debian's changes as you mentioned in the changelog. Can you look at Debian's 0.1.1-10, redo the patch and resubmit? Also, please reference this bug number in your changelog.

Once you have resubmitted the debdiffs, please remark the bug status to 'In Progress' and please state the testing performed on the new packages.

Alright, let's hope the third time is the charm here. Attached are debdiffs for Hardy and Intrepid.

For those interested in test, the packages are availiable in my PPA:

https://edge.launchpad.net/~andrewsomething/+archive/ppa

Andrew, what testing was performed on these packages?

Thanks Andrew for the updated patches! I've uploaded them to the security queue and can publish them once I get feedback on the testing for both Hardy and Intrepid.

Unfortunately, I'm not able to test this update very throughly. I've
up loaded it to my ppa in the hope that those in the community who are
using roundcube can test and verify the fixes before they are uploaded
to intrepid-security.

This bug was fixed in the package roundcube - 0.1.1-7ubuntu0.1

---------------
roundcube (0.1.1-7ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: denial of service (memory consumption) via
    crafted size parameters that are used to create a large quota
    image - CVE-2008-5620 (LP: #316550)
   - debian/patches/cve-2008-5620.patch
    + Backported from Debian
  * SECURITY UPDATE: allows remote attackers to execute arbitrary
    code via crafted input that is processed by the preg_replace
    function with the eval switch. - CVE-2008-56-19 (LP: #316550)
   - debian/patches/cve-2008-5619.patch
    + Backport from Debian.

 -- Andrew Starr-Bochicchio <email address hidden> Thu, 19 Feb 2009 13:06:58 -0500

This bug was fixed in the package roundcube - 0.1~rc2-6ubuntu0.1

---------------
roundcube (0.1~rc2-6ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service (memory consumption) via
    crafted size parameters that are used to create a large quota
    image - CVE-2008-5620 (LP: #316550)
   - debian/patches/cve-2008-5620.patch
    + Backported from Debian
  * SECURITY UPDATE: allows remote attackers to execute arbitrary
    code via crafted input that is processed by the preg_replace
    function with the eval switch. - CVE-2008-56-19 (LP: #316550)
   - debian/patches/cve-2008-5619.patch
    + Backport from Debian.

 -- Andrew Starr-Bochicchio <email address hidden> Thu, 19 Feb 2009 13:06:58 -0500

Since this is being actively exploited and the patches match Debian, I am going to publish this. Please report back if there are problems.