Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Active Scans for Roundcube Vulnerabilities, Possible 0-Day InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Active Scans for Roundcube Vulnerabilities, Possible 0-Day

Published: 2009-01-09
Last Updated: 2009-01-09 22:27:23 UTC
by Lenny Zeltser (Version: 4)
3 comment(s)

Scans for vulnerabilities in Roundcube, popular web mail software, seem to be on the rise. We reported two vulnerabilities in this popular software in the past month.

According to a report we received today, scans for problems in Roundcube's msgimport feature are very active (see earlier diary). According to @lbhuston of twitter, this might be the same vulnerability announced on Help Net Security in December. For additional details about scans for this vulnerability, look at the the posting  at the MSI :: State of Security blog. For another data point, see the list of systems that, according to @codewolf on Twitter, are scanning him for Roundcube vulnerabilities.

The other vulnerability is in the html2text.php file (CVE-2008-5619), and is probably being targeted too (see earlier diary). There is a fix to the html2text.php problem, but I don't think the msgimport issue has a patch.

Update 1: Here are examples of Web server access logs that show recent attempts to exploit msgimport:

66.154.97.57 - - [09/Jan/2009:04:31:36 +0000] "GET /nonexistenshit HTTP/1.1" 404 212 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
8.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 391 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /bin/msgimport HTTP/1.1" 404 386 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /rc/bin/msgimport HTTP/1.1" 404 389 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /roundcube/bin/msgimport HTTP/1.1" 404 396 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
88.208.193.113 - - [09/Jan/2009:06:24:55 -0500] "GET /webmail/bin/msgimport HTTP/1.1" 404 394 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"
58.215.88.10 - - [09/Jan/2009:09:01:13 -0500] "GET /mail/bin/msgimport HTTP/1.1" 404 391 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5"

Update 2: Steven Adair from Shadowserver noticed two additional user agent strings being used by the scanners:

Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
Toata dragostea mea pentru diavol (this one was reported in our earlier diary)

Also, thanks to Ken for mentioning in the comments that Emerging Threats has Snort rules to alert on these activities. According to Ken, search emerging rules for SIDs 2008990 and 2008991.

Update 3: Nathan shared with us a few pointers to Roundtube developer discussions of the msgimport vulnerability. "Based on http://lists.roundcube.net/mail-archive/dev/2009-01/0000055.html it seems versions prior to 0.2-alpha are vulnerable." Additional messages on the list: 1, 2. "They appears to be providing little information publicly about the exploit but appear to have acknowledged it."
 

-- Lenny

Lenny Zeltser
Security Consulting - Savvis, Inc.

Lenny teaches a SANS course on analyzing malware.

 

Keywords:
3 comment(s)
Diary Archives