Roundcube Webmail Scanning

By: Jose -

I’ve been watching this for a couple of weeks now, I saw some initial requests to look at some data to discover what they may be after. I’ve seen some data about known attack vectors, but I haven’t seen what may be going on with the new “msgimport” function and any attacks against that. It’s possible that the “msgimport” URI is just a distinct marker for Roundcube, it may also have a vulnerability I didn’t see in my cursory static analysis of the code.

In a message entitled Security update for 0.2-beta dated December 16, the authors fixed a couple of bugs. One allowed for a DoS by chewing up disk space, while the other allowed for code injection via the HTML conversion script “html2text”. Neither mentions the scanned-for script, “msgimport”. Looking over the Roundcube SVN pages I don’t see anything there, either.

So, I have a couple of weeks of logs to dig into … a bunch of scans. Where are they coming from? Not surprusingly, mostly the US according to this WWW server.

world map of scanners

In this map, red shows the most serious source of scanners, blue is the least, and purple is in the middle. This may be more clear using a different representation of the data, a pie graph.

ATLAS sees it a bit different, though:

Country, Country Name, Attacks per subnet, Percent Total
CH, "Switzerland", 0.24, 78.1%
GB, "Great Britain", 0.06, 20.6%
US, "United States", 0.00, 1.2%
FR, "France", 0.00, 0.1%
Other, N/A, 0.00, 0.0%

In ATLAS this is not a major source of attacks, however.

Scans by day starting January 1 of this year show no obvious signs. It doesn’t seem to be slowing or growing, it just seems to be a new background attack.

Finally, and perhaps most revealing, we can see what they’re scanning for. The “msgimport” script is the most popular, but the JS file “list.js” is also being scanned for. I quickly looked that over but didn’t see anything worrisome there; I may have missed something.

In short, something may be going on but I don’t know what it is.

Comments

  1. Hi,

    in regard to your comments about “disclosing” vulnerabilities, I don’t really like the general ton of your blog post. ;-)

    Initially when we released the security update in December, the issues were about html2text and a possible DoS in the rendering of the quota img. We responded to those in a timely manner.

    As for the msgimport script, the reason why this hasn’t been mentioned in Dec is that the msgimport script was renamed to msgimport.sh over 10 months ago. Now according to my rather poor mathematical skills that’s anywhere between February and March of last year (2008). And that’s the only reason.

    As for backup to my claims:
    http://trac.roundcube.net/log/trunk/roundcubemail/bin/msgimport.sh

    I don’t recall any reports back then — I could be wrong though. We run public mailinglists (http://lists.roundcube.net) which are indexed by various other public archives, so in case you find an email reporting it, you can narrow down the date.

    In the past 10 months, there have been roughly four releases (if you count the patches as their own release) where some people apparently decided not to update RoundCube to a more secure, more feature rich and also faster releases.

    Aside from those we a) carry a low version number not for ‘web2 hype’ purposes but because we don’t recommend RoundCube for production, b) we frequently urge people to update, c) we ping maintainers of the RoundCube packages on various distros and d) we recommend and help people to setup RoundCube from SVN to ease the pain of upgrades.

    Anyway, I don’t want to get all defensive even though the above reads like it. ;-) We are open to all feedback, we have nothing to hide, always feel free to talk to us, report bugs, give feedback and so on.

    Cheers,
    Till

  2. Yea, it’s super aggressive. I’ve seen the same host hitting boxes in three locations on three networks. The abuse team at superb.net isn’t very hasty about taking down their compromised hosts either.

  3. Jose Nazario 01/18/2009, 8:24 pm

    till, please re-read the blog post very carefully and with an open approach. neither i nor anyone is saying you’re not disclosing or addressing issues when your team finds out about them. based on my experience in this field, typically when someone begins scanning for a specific URI like this it’s to attack a specific vulnerability in that component. so what i am saying is that if there is a vulnerability that some folks – aka black hats – know about it’s not known to the wider community.

    nothing more, and certainly nothing saying anything disagreeable about roundcube or that any of the developers haven’t been responsible or forthcoming.

    my only point in this blog post has been to get some stats out there and to share some info that hadn’t been shared publicly about the origins and targets of these scans, that’s all.

  4. Jose,

    I’m not objecting to you or anyone else providing background infos and/or full disclosure in general. I was just saying that we did not let anything slip under the table in the accouncements and releases.

    Cheers+Thanks,
    Till