elastix vulnerability: roundcube, html2text.php

maumar

Joined
Sep 12, 2008
Messages
80
Likes
0
Points
0
#1
i would advise people who have their elastix on the net to protect carefully their server as by some months a Roundcube vulnerability is in the wild
http://www.heise-online.co.uk/security/ ... ews/112330
you should check your logs for some keywords
grep html2text /var/log/httpd/access_log
69.64.50.209 - - [26/Jan/2009:22:36:10 +0100] "POST /bin/html2text.php HTTP/1.1" 404 293 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:10 +0100] "POST /mail/bin/html2text.php HTTP/1.1" 200 12 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:10 +0100] "POST /rc/bin/html2text.php HTTP/1.1" 404 296 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:11 +0100] "POST /roundcube/bin/html2text.php HTTP/1.1" 404 303 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:11 +0100] "POST /roundcubemail/bin/html2text.php HTTP/1.1" 404 307 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:11 +0100] "POST /roundcube-mail/bin/html2text.php HTTP/1.1" 404 308 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1/bin/html2text.php HTTP/1.1" 404 311 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1.1/bin/html2text.php HTTP/1.1" 404 313 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1beta/bin/html2text.php HTTP/1.1" 404 315 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:12 +0100] "POST /roundcubemail-0.1beta2/bin/html2text.php HTTP/1.1" 404 316 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:13 +0100] "POST /roundcubemail-0.1-rc1/bin/html2text.php HTTP/1.1" 404 315 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:13 +0100] "POST /roundcubemail-0.1-rc2/bin/html2text.php HTTP/1.1" 404 315 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:13 +0100] "POST /roundcubemail-0.2/bin/html2text.php HTTP/1.1" 404 311 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:14 +0100] "POST /roundcubemail-0.2-alpha/bin/html2text.php HTTP/1.1" 404 317 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:14 +0100] "POST /roundcubemail-0.2-beta/bin/html2text.php HTTP/1.1" 404 316 "-" "-"
69.64.50.209 - - [26/Jan/2009:22:36:14 +0100] "POST /webmail/bin/html2text.php HTTP/1.1" 404 301 "-" "-"


grep Morfeus /var/log/httpd/access_log*
/var/log/httpd/access_log:212.67.207.184 - - [27/Jan/2009:19:50:29 +0100] "GET /user/soapCaller.bs HTTP/1.1" 302 300 "-" "Morfeus Fucking Scanner"
/var/log/httpd/access_log:212.67.207.184 - - [27/Jan/2009:19:50:32 +0100] "GET /trixbox/soapCaller.bs HTTP/1.1" 302 303 "-" "Morfeus Fucking Scanner"
/var/log/httpd/access_log:212.67.207.184 - - [27/Jan/2009:19:50:32 +0100] "GET /user/index.phpsoapCaller.bs HTTP/1.1" 302 309 "-" "Morfeus Fucking Scanner"

a part from to not expose server on public net ao too firewall carefully, you can apply many patch, search on google; i fixed /etc/httpd/conf/httpd.conf
# Agregado para redirigir el http a https

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

RewriteCond %{HTTP_USER_AGENT} ^Morfeus
RewriteRule ^.*$ - [F]

RewriteCond %{HTTP_USER_AGENT} ^Toata
RewriteRule ^.*$ - [F]


another fix is mounting /tmp on a separate partition noexec

i suggest elastix author to use a different partition for tmp and mount it noexec
http://forums.theplanet.com/index.php?showtopic=27771
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#2
Thanks a lot, I just inform this to the development team
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#3
You can add this lines to the Elastix post-install script in ks.cfg to do it automatically:

Code:
dd if=/dev/zero of=/dev/tmpMnt bs=1024 count=200000
mke2fs -F /dev/tmpMnt
cp -R --reply=yes /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp
chmod 0777 /tmp
cp -R --reply=yes /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/dev/tmpMnt             /tmp                    ext2    loop,noexec,nosuid,rw  0 0" >> /etc/fstab
Rafael, ask the developers if there is no problem to change /tmp as noexec.
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,938
Messages
130,959
Members
17,632
Latest member
moaulool
Top