Roundcube Markasjunk Plugin Command Injection Vulnerability Analysis

Introduction

The Roundcube webmail project is a popular open source webmail solution that is widely utilized.

On June 6, 2023, security researchers discovered a vulnerability in Roundcube’s “markasjunk” plugin. This vulnerability allow attackers to execute command by sending a specifically crafted identity email address through plugin.

Although the CVSSv3 score of the vulnerability is defined as “6.5”, according to Cyberthint analysts, its impact is actually critical and CWE ID: CWE-77.

Affected Versions: Roundcube versions 1.6.1 and earlier versions, when the markasjunk plugin is enabled.

This blog post includes the technical analysis of the command injection vulnerability in Roundcube’s markasjunk plugin, which has discovered by an independent security researcher, as well as how it can be exploited and how this vulnerability can be mitigated.

Affected RoundCube Webmail Systems Worldwide

According to the results obtained from the queries we made through Shodan and Censys search engines, it has been determined that more than 2 million websites are potentially affected by this plugin vulnerability worldwide.

Also you can check out the affected system by using the querys below:

Shodan Dork (Result: 21,086)

http.favicon.hash:-976235259

Censys Dork (Result: 77,715)

roundcube

Technical Analysis

Vulnerable Configuration

• “cmd_learn” should be configured in “plugins/markasjunk/config.inc.php”

$config['markasjunk_learning_driver'] = "cmd_learn";

• ”markasjunk_spam_cmd” must be set with “%i” format setting in in “plugins/markasjunk/config.inc.php”

$config['markasjunk_spam_cmd'] = "salearn %i";

Due to the lack of proper filtering, any arbitrary command that includes “%i” can now be triggered without restriction.

Any Roundcube user with the trivial abilities to modify their email identity and moves email to junk folder can easily exploit this vulnerability.

---

The function that causes command injection is “_do_salearn()” function in “plugins/markasjun/drivers/cmd_learn.php“ file.

This function works when a mail is moved to the “junk folder” from the web interface.

“if $config[‘markasjunk_spam_cmd’]” contains “%i”, line 59 will be executed:

$command  = str_replace('%i', $identity['email'], $command);

The value in the “$identity[’email’]” variable comes from the email section in the “Settings -> Identities” section of the web interface.

The command itself will be executed on line 102:

$output = shell_exec($tmp_command);

Who wants to exploit the vulnerability can do it by changing the email address “[email protected]” to “analyst&touch${IFS}test.txt&@cyberthint.io”.

The “_do_salean()” will call the following line when processing the email:
“salearn analyst&touch${IFS}test.txt&@cyberthint.io“
And this will create the “test.txt”.

Vulnerability Fix Recommendations

Edit line 59 in the “plugins/markasjun/drivers/cmd_learn.php” file as follows:

Vulnerable: $command  = str_replace('%i', $identity['email'], $command);
Patched: $command  = str_replace('%i', escapeshellarg($identity['email']), $command);

Also, Roundcube announced that they will patch this vulnerability in the next update.