Giters

mbadanoiu / MAL-004

MAL-004: Command Injection Bypass for CVE-2020-12641 in Roundcube Webmail

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

0-daybypasscve-2020-12641remote-code-executionunauthenticated

MAL-004: Command Injection Bypass for CVE-2020-12641 in Roundcube Webmail

A bypass was found for "CVE-2020-12641: Command Injection via "_im_convert_path" in Roundcube Webmail" affecting versions before 1.4.5, 1.3.12.

The php “escapeshellcmd” function, implemented to prevent “CVE-2020-12641: Command Injection via “_im_convert_path” Parameter”, performs insufficient sanitization and therefore this “filter” can be bypassed by using:

  • Command specific flags (both Linux and Windows environments)
  • Remote SMB paths (only in Windows environments)

A successful attack results in the execution of arbitrary system commands whenever a valid Roundcube user opens a mail containing a non-standard image.

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Why no CVE?

This bypass was included as a "better fix for CVE-2020-12641" and was not given a separete CVE-ID.

Requirements:

This vulnerability requires:

  • Access to the Roundcube Webmail installer component
  • Waiting for a Roundcube user to open an email containg a non-standard image

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Additional Resources:

Initial vulnerability (CVE-2020-12641) and GitHub disclosure

About

MAL-004: Command Injection Bypass for CVE-2020-12641 in Roundcube Webmail

0-daybypasscve-2020-12641remote-code-executionunauthenticated