Roundcube Webmail is an open-source email client written in PHP. Its extensive functionality and the convenient access it gives users to email accounts via a browser—without the need for full-fledged email clients—have made it popular among commercial and government organizations worldwide. However, this popularity also makes it an attractive target for cybercriminals who quickly adapt exploits once they become publicly known, aiming to steal credentials and corporate email communications.
About the email
In September 2024, threat intelligence experts from the Positive Technologies Security Expert Center (PT ESC) discovered an email sent to a governmental organization belonging to a CIS country. Timestamps indicate that the email was sent back in June 2024. The email appeared to be a message without text, containing only an attached document.
However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code:
The distinctive attribute name (attributeName="href "), containing an extra space, indicated that the email was an attempt to exploit the CVE-2024-37383 vulnerability in Roundcube Webmail.
About the vulnerability
The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6. The vulnerability was discovered by CrowdStrike researchers and patched on May 19, 2024.
The error is in the code that processes SVG elements in the email body markup. Before displaying the email, Roundcube processes the content of certain tags and their attributes, for example, by escaping special characters; this is called pre-processing. At this stage, SVG elements with the "<animate>" attributes are excluded from the final email body, with a link to an element:
Their content is replaced with empty SVG elements:
The function that pre-processes HTML elements in the email body is as follows:
To ensure that the tags <animate>, <animatecolor>, <set>, and <animatetransform> are excluded from the final page, they must contain the "href" attribute:
This attribute is checked by calling the function attribute_value($node, 'attributename', 'href'), whose code is as follows:
During the comparison (see the screenshot above), it is not taken into account that the tag attribute name obtained during document parsing may contain spaces. When an extra space is added to the "href" attribute name, the syntax
will not be filtered and will appear in the final document. Before this, it will be formatted as {attribute name} = {attribute value}:
By inserting JavaScript code as the value for "href", we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email. The PoC for the vulnerability is as follows:
About the payload
The code executed in the eval function saves the empty document Road map.docx (encoded using Base64). Additionally, it attempts to obtain messages from the mail server using the ManageSieve plugin. Below is the extract from the request:
An authorization form with the fields rcmloginuser and rcmloginpwd (the user's login and password for the Roundcube client) is added to the HTML page displayed to the user. The expectation here is that these fields will either be autofilled or that the user will manually enter the details in order to re-authenticate.
The obtained login and password are sent to the libcdn.org server:
The libcdn.org domain was registered on June 6, 2024, and resolves to Cloudflare infrastructure.