支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 4051f6da6c42edd79c5b01779411ea40cad1176a

来源
https://github.com/l4f2s4/CVE-2025-49113_exploit_cookies
关联漏洞
标题:Roundcube Webmail 安全漏洞 (CVE-2025-49113)
描述:Roundcube Webmail是Roundcube开源的一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.10之前版本和 1.6.11之前版本存在安全漏洞,该漏洞源于未验证_from参数,可能导致PHP对象反序列化攻击。
描述
CVE-2025-49113 - Roundcube Remote Code Execution
介绍
# CVE-2025-49113 - Roundcube Webmail Remote Code Execution Vulnerability

## **Technical Overview**
CVE-2025-49113 is a critical insecure deserialization vulnerability in Roundcube Webmail that enables authenticated remote code execution. The vulnerability stems from improper handling of serialized PHP objects during file upload operations.

### **Vulnerability Analysis**
- **Root Cause**: Unsafe deserialization of user-controlled data in the file upload functionality
- **Attack Vector**: Crafted file upload request containing malicious serialized PHP object
- **Technical Details**:
  - Exists in `program/steps/mail/attach.inc`
  - Processes `_file` parameter metadata without proper validation
  - Combines two injection techniques:
    1. PHP session injection via `_form` parameter
    2. Malicious object injection via `filename` parameter

### **Affected Versions**
- Roundcube Webmail 1.5.0 through 1.5.9
- Roundcube Webmail 1.6.0 through 1.6.10

### **Prerequisites for Exploitation**
- PHP 7.0 or higher
- cURL extension enabled
- Valid authenticated session credentials
- File upload functionality access

---

## **Exploitation Mechanism**

### **Technical Workflow**
1. **Version Verification**: Validates vulnerable version through response patterns
2. **Authentication Bypass**: Uses provided session cookies for authentication
3. **Payload Delivery**: 
   - Crafts multipart/form-data request with PNG image
   - Injects malicious serialized PHP object into filename parameter
   - Injects session manipulation via `_form` parameter
4. **Triggering Deserialization**: 
   - Vulnerable deserialization routine during file processing
   - Gadget chain execution during object unserialization
5. **Command Execution**: Leverages `system()` function for shell command execution

### **Code Execution Flow**
```php
// Simplified exploitation flow
$target_url = $base_url . "?_task=mail&_action=upload&_form=injected_session_data";
$post_data = [
    '_file' => '{"name":"malicious_object_gadget","path":"..."}',
    'file' => curl_file_create('fake.png', 'image/png', 'exploit.png')
];
$response = curl_exec($target_url, $post_data);
// Vulnerable deserialization occurs in attach.inc processing
// Gadget chain triggers command execution: system($_POST['cmd']);
```

---

## **Usage Instructions**

### **Command Syntax**
```bash
php CVE-2025-49113-exploit_cookies.php <url> <cookies> <command>
```

### **Parameters**
| Parameter | Description | Example |
|-----------|-------------|---------|
| `<url>` | Base URL of Roundcube installation | `https://mail.example.com/roundcube/` |
| `<cookies>` | Valid session cookies | `roundcube_sessid=abc123; roundcube_sessauth=xyz456` |
| `<command>` | OS command to execute | `id` or `whoami` |

### **Example Execution**
```bash
php CVE-2025-49113-exploit_cookies.php \
    https://mail.example.com/roundcube/ \
    "roundcube_sessid=abc123; roundcube_sessauth=xyz456" \
    "cat /etc/passwd"
```

---

## **Detection & Mitigation**

### **Indicators of Compromise**
- Unusual file upload requests with serialized data
- Unexpected processes spawned by web server user
- Abnormal entries in Roundcube or web server logs

### **Mitigation Strategies**
1. **Immediate Action**: Upgrade to Roundcube version 1.6.11 or later
2. **Temporary Workaround**: Implement input validation filters for file uploads
3. **Network Controls**:
   - Restrict access to administration interfaces
   - Implement WAF with deserialization attack detection
4. **Monitoring**: Enhance logging for file upload operations

---

## **References**
- [NIST NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-49113)
- [Roundcube Security Advisory](https://github.com/roundcube/roundcubemail/security/advisories)
- [Original Research](https://fearsoff.org/research/roundcube)
- [Exploit Code Reference](https://github.com/fearsoff-org/CVE-2025-49113)
- [Technical Analysis](https://www.offsec.com/blog/cve-2025-49113)

---

## **Legal & Ethical Considerations**
*This information is provided for educational purposes only. Unauthorized testing against systems without explicit permission is illegal. Always obtain proper authorization before conducting security assessments. The authors and publishers assume no responsibility for any misuse of this information.*
文件快照

 [4.0K]  /data/pocs/4051f6da6c42edd79c5b01779411ea40cad1176a
├── [6.5K]  CVE-2025-49113-exploit_cookies.php
└── [4.2K]  README.md

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。