elastix vulnerability: roundcube, html2text.php

Discussion in 'General' started by maumar, Jan 27, 2009.

  1. maumar

    Joined:
    Sep 12, 2008
    Messages:
    80
    Likes Received:
    0
    i would advise people who have their elastix on the net to protect carefully their server as by some months a Roundcube vulnerability is in the wild
    http://www.heise-online.co.uk/security/ ... ews/112330
    you should check your logs for some keywords
    grep html2text /var/log/httpd/access_log
    69.64.50.209 - - [26/Jan/2009:22:36:10 +0100] "POST /bin/html2text.php HTTP/1.1" 404 293 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:10 +0100] "POST /mail/bin/html2text.php HTTP/1.1" 200 12 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:10 +0100] "POST /rc/bin/html2text.php HTTP/1.1" 404 296 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:11 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 404 303 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:11 +0100] "POST /roundcubemail/bin/html2text.php HTTP/1.1" 404 307 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:11 +0100] "POST /roundcube-mail/bin/html2text.php HTTP/1.1" 404 308 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1/bin/html2text.php HTTP/1.1" 404 311 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1.1/bin/html2text.php HTTP/1.1" 404 313 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1beta/bin/html2text.php HTTP/1.1" 404 315 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1beta2/bin/html2text.php HTTP/1.1" 404 316 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:13 +0100] "POST /roundcubemail-0.1-rc1/bin/html2text.php HTTP/1.1" 404 315 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:13 +0100] "POST /roundcubemail-0.1-rc2/bin/html2text.php HTTP/1.1" 404 315 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:13 +0100] "POST /roundcubemail-0.2/bin/html2text.php HTTP/1.1" 404 311 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:14 +0100] "POST /roundcubemail-0.2-alpha/bin/html2text.php HTTP/1.1" 404 317 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:14 +0100] "POST /roundcubemail-0.2-beta/bin/html2text.php HTTP/1.1" 404 316 "-" "-"
    69.64.50.209 - - [26/Jan/2009:22:36:14 +0100] "POST /webmail/bin/html2text.php HTTP/1.1" 404 301 "-" "-"


    grep Morfeus /var/log/httpd/access_log*
    /var/log/httpd/access_log:212.67.207.184 - - [27/Jan/2009:19:50:29 +0100] "GET /user/soapCaller.bs HTTP/1.1" 302 300 "-" "Morfeus Fucking Scanner"
    /var/log/httpd/access_log:212.67.207.184 - - [27/Jan/2009:19:50:32 +0100] "GET /trixbox/soapCaller.bs HTTP/1.1" 302 303 "-" "Morfeus Fucking Scanner"
    /var/log/httpd/access_log:212.67.207.184 - - [27/Jan/2009:19:50:32 +0100] "GET /user/index.phpsoapCaller.bs HTTP/1.1" 302 309 "-" "Morfeus Fucking Scanner"

    a part from to not expose server on public net ao too firewall carefully, you can apply many patch, search on google; i fixed /etc/httpd/conf/httpd.conf
    # Agregado para redirigir el http a https

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    RewriteCond %{HTTP_USER_AGENT} ^Morfeus
    RewriteRule ^.*$ - [F]

    RewriteCond %{HTTP_USER_AGENT} ^Toata
    RewriteRule ^.*$ - [F]


    another fix is mounting /tmp on a separate partition noexec

    i suggest elastix author to use a different partition for tmp and mount it noexec
    http://forums.theplanet.com/index.php?showtopic=27771
     
  2. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    Thanks a lot, I just inform this to the development team
     
  3. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    You can add this lines to the Elastix post-install script in ks.cfg to do it automatically:

    Code:
    dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=200000
    mke2fs -F /dev/tmpMnt
    cp -R --reply=yes /tmp /tmp_backup
    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
    chmod 0777 /tmp
    cp -R --reply=yes /tmp_backup/* /tmp/
    rm -rf /tmp_backup
    echo "/dev/tmpMnt             /tmp                    ext2    loop,noexec,nosuid,rw  0 0" >> /etc/fstab
    
    Rafael, ask the developers if there is no problem to change /tmp as noexec.
     

Share This Page