maxxer wrote:yeeP6rai wrote:Yes... Thanks
along with them I found also some .class files with the same basename of .java
I found too .class files)
CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
I found too .class files)
Re: CVE-2019-9670 being actively exploited
What about these files
140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java
140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java
Re: CVE-2019-9670 being actively exploited
srekkas wrote:What about these files
I don't know if they're original zimbra files or not, but I think so.
Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't recall if the discussion went on, I found way to do that for Ubuntu and RHEL.
For the first
Code: Select all
apt install debsums
dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
for the latter
Code: Select all
rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
They list all the changed files form the originally installed content. Some changes are legit, but there are changed files which remains unknown to me. Like the _public ones above. On Ubuntu the output is shorter, while on RHEL (8.6) I get really a lot of files (js, zgz, properties...). Wondering if it's really useful
Re: CVE-2019-9670 being actively exploited
maxxer wrote:lCode: Select all
rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
some correction
Code: Select all
rpm -qa "zimbra*" | xargs rpm -qV - | egrep -E '^.{2}5'Output codes:
S = File size changed
M = File mode changed
5 = MD5 checksum changed
L = Symlink changed
U = Owner changed
G = Group changed
T = Modification time changed
c = it is a configuration file that has changed
missing = file is gone.
Re: CVE-2019-9670 being actively exploited
Hi,
How to know if your server is still vulnerable after apply the patch ?
I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?
Thank you for the information.
How to know if your server is still vulnerable after apply the patch ?
I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?
Thank you for the information.
Re: CVE-2019-9670 being actively exploited
Other than apply patch, any workaround which can apply to platform.
Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?
Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?
-
halfgaar
- Advanced member
- Posts: 85
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Release 8.8.15.GA.3869.UBUNTU16.64
Re: CVE-2019-9670 being actively exploited
I was looking into the possibility of setting HTTP auth on Nginx. It would have to be such that /dav/ is exempt, because Android carddav and caldav can't work with HTTP logins.
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.
I may also set up an Nginx proxy on another server.
I will post back when I have something useful.
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.
I may also set up an Nginx proxy on another server.
I will post back when I have something useful.
Re: CVE-2019-9670 being actively exploited
Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
Does it require a valid authenticated user to happen?
Re: CVE-2019-9670 being actively exploited
The second and third posts in this thread have some links in them that give you descriptions of this exploit, you should read them.tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
Re: CVE-2019-9670 being actively exploited
tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something). there are several links in the thread with full history of the exploit, and also Zimbra blog has references
Who is online
Users browsing this forum: No registered users and 17 guests