Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Active Scans for Roundcube Vulnerabilities - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Active Scans for Roundcube Vulnerabilities

Scans for vulnerabilities in Roundcube, popular web mail software, seem to be on the rise. We reported two vulnerabilities in this popular software in the past month.

According to the report we received today, scans for problems in Roundcube's msgimport feature are very active (see earlier diary). According to @lbhuston of twitter, this might be the same vulnerability announced on Help Net Security in December. For additional details about scans for this vulnerability, look at the the posting  at the MSI :: State of Security blog. For another data point, see the list of servers that, according to @codewolf on Twitter, are scanning him for Roundcube vulnerabilities.

The other vulnerability is in the html2text.php file (CVE-2008-5619), and is probably being targeted too (see earlier diary).

There is a fix to the html2text.php problem, but I don't know whether the msgimport issue has a patch.

-- Lenny

Lenny Zeltser
Security Consulting - Savvis, Inc.

Lenny teaches a SANS course on analyzing malware.



216 Posts
Jan 9th 2009
Emerging Threats ( has snort rules that alert on these. See for SIDs 2008990 and 2008991

40 Posts
I've been watching these scans in my logs, and the first thing I notice is that the scans send the target IP address as the HTTP 'Host' request header. Therefore if name-based virtual hosts are used in Apache HTTPD, only the 'default' host (typically the first one defined in the config.) would be scanned, which would limit its impact to mostly dedicated servers, rather than shared hosting.

As an experiment I responded to one of the /bin/msgimport requests with a document that should have simulated the output of that script executing without parameters. The only thing the worm did differently was to then try a POST to /bin/html2text.php which is one of the previously reported vulnerabilities. So it seems so far that the '' script is queried only as a means to determine the presence of a Roundcube installation; this doesn't appear to be a new exploit targetted at ''.

I notice Roundcube SVN commit R-2225 disables access to the scripts in /bin/ as precaution, which seems sensible. If the ExecCGI option was enabled for /bin/ for some reason, I suspect those scripts could be abused, although I haven't really investigated.
Steven C.

171 Posts
We keep noticing two such scanners in the logs:

1. The \"Toata\" one. This is the one that Steven mentioned. It typically uses \"GET HTTP/1.1 HTTP/1.1\" as a first request.
First seen here on Dec 19th, 02:31 UTC, average rate is only about 1/day in two monitored IP ranges.

2. Currently much more active is the one that uses \"GET /nonexistenshit HTTP/1.1\" as a first request,
and apparently only the Mozilla given above as a User Agent. Starting Jan 8th, 05:04 UTC, this one appears from some 30 different IPs/day.

Both of them go for IPs, not names.

3 Posts

Sign Up for Free or Log In to start participating in the conversation!