[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Zimbra zero-day exploit
Following up on Thom's note, here are the details:
Guidance on Zimbra Vulnerability:
This vulnerability was identified in Feb 2013, and a fix released by Zimbra in Feb 2013. The bug number was the following (note: it is locked, so the full details are not currently public):
Vulnerability about skin/branding feature, sensitive information can be retrieved
Fixed: 7.2.2 Patch 2, 7.2.3, 8.0.2 Patch 1, 8.0.3
A notification for this issue was published to the Zimbra Support Portal on Feb 26, 2013: https://support.zimbra.com/node/346
Also, a notification was included in these Release Notes:
* 8.0.2 Patch 1: http://files2.zimbra.com/website/docs/8.0/ZCS_Patch_8_0_2_r1.pdf
o February 19, 2013: Patch 8.0.2 P1 patch fixes the following bug: Bug 80338 Security Fix
* 7.2.2 Patch 2: http://files2.zimbra.com/website/docs/7.2/ZCS_Patch_7_2_2_r1.pdf
o February 19, 2013: Patch 7.2.2 P2 patch fixes the following bug: Bug 80338 Security Fix
ZCS7 Customers:
ZCS7 Customers should upgrade to 7.2.2 Patch 2 or later (7.2.5 is the latest, and 7.2.6 will be released in the near future). Customers running these versions should not be vulnerable.
ZCS8 Customers:
ZCS8 Customers should upgrade to 8.0.2 Patch 1 or later (8.0.5 is the latest, and 8.0.6 will be released in the near future). Customers running these versions should not be vulnerable.
If using Nginx or other proxy, you could use a configuration like the following to some effect:
You need to add the below 3 lines to
if ($request_uri ~ "\.\.") {
return 404;
if ($request_uri ~ "\%2[eE]\%2[eE]") {
return 404;
Then run:
$ zmproxyconfgen
$ zmproxyctl restart
Published Exploit:
Originally posted to Twitter: https://twitter.com/DigitalCTF
# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubunutu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip
This script exploits a Local File Inclusion in
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.
LFI is located at :
Example :
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.
use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : https://mail.example.com:7071/zimbraAdmin/
[*] Account : someuser@example.com
[*] Password : Test123_23
[+] Successfully Exploited !
The number of servers vuln are huge like 80/100.
This is only for educational purpouses.
----- Original Message -----
From: "Will Froning" <wfroning@aus.edu>
To: "Zimbra Higher-Ed Admins" <zimbra-hied-admins@sfu.ca>
Sent: Sunday, December 8, 2013 3:10:09 PM
Subject: Re: Zimbra zero-day exploit
Hello Magnus,
On Dec 9, 2013, at 2:54 AM, Magnus Morén <magnus.moren@hh.se> wrote:
> Hi,
> See Quanahs answer (#4) here: http://www.zimbra.com/forums/administrators/67005-zimbra-0-day.html
From page 8:
"Security Fixes for 7.2.X
Release 7.2 includes several security fixes.”
Talk about an understatement. If they knew this was floating around since Feb 2013, some sort of heads-up would have been great. Maybe I just miss the announcement somewhere...
> ----- Ursprungligt meddelande -----
>> I did some more checking - I have access to a server running 8.0.4 and one
>> running 8.0.1. The one running 8.0.1 is vulnerable, while 8.0.4 is not. I
>> don't know what version it was fixed it, but presumably it was a Jetty
>> upgrade that fixed it (by rejecting any URLs with embedded null chars)
>> ----- Original Message -----
>>> Steve,
>>> Shouldn't 7071 only open to some internal network/bastion host? The
>>> quick fix probably is to tighten up the port 7071 access.
>>> I also tried to run the code on a system that has access to a test
>>> ZCS 8.0.5 server's port 7071.
>>> ruby run.rb -t testserver -u someuser -p Test123_23
>>> #########################################################################################
>>> Zimbra Email Collaboration Server 0day Exploit by rubina119
>>> #########################################################################################
>>> [+] Looking if host is vuln...
>>> The test server's log shows:
>>> 013-12-08 14:21:04,832 INFO
>>> [qtp1649104388-754965:]
>>> [ip=;ua=ZCS/8.0.5_GA_5839;] soap - GetDomainInfoRequest
>>> elapsed=2
>>> 2013-12-08 14:21:04,836 WARN
>>> [qtp1649104388-754964:,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00]
>>> [] misc - Rejecting request containing null character in query
>>> string
>>> So the request was rejected. What version of ZCS are affected by
>>> this?
>>> Xueshan
>>> ----- Original Message -----
>>>> Hi folks,
>>>> A zero day exploit for Zimbra was released on Friday. I found out
>>>> about it
>>>> late last night and spent the night trying to come up with a
>>>> temporary
>>>> workaround. The details of the exploit are here:
>>>> http://www.exploit-db.com/exploits/30085/ . Basically anyone,
>>>> through a
>>>> simple URL, can gain access to your site's localconfig.xml file
>>>> which has
>>>> all your Zimbra system passwords. From there they can create an
>>>> admin-level
>>>> account and, if port 7071 is exposed, login to the admin console.
>>>> My workaround involves adding a rewrite rule to nginx to look for
>>>> localconfig
>>>> being passed in as an argument and block it. To implement, in
>>>> /opt/zimbra/conf/nginx/templates, edit
>>>> nginx.conf.web.http.default.template
>>>> and nginx.conf.web.https.default.template and insert this inside
>>>> the
>>>> 'location' block before the 'include' statement:
>>>> if ($args ~ skin=.*localconfig) {
>>>> rewrite ^/.* / redirect;
>>>> }
>>>> This is a brute force rewrite and will actually create a redirect
>>>> loop
>>>> because it doesn't actually replace the args upon doing the
>>>> redirect, so the
>>>> URL will still match. If you're more well versed in nginx config
>>>> than I am,
>>>> feel free to refine it.
>>>> Unfortunately this workaround won't work for a single-server
>>>> install that's
>>>> not using the zimbra-proxy package. I've been messing around trying
>>>> to add a
>>>> rewrite rule to jetty.xml.in but that doesn't appear to work as the
>>>> rewrite
>>>> rule can't see the arguments - only the URL after the arguments
>>>> have been
>>>> stripped off. My only other alternative is to install and configure
>>>> the
>>>> proxy package on the existing server (which involves messing with
>>>> SSL certs
>>>> and such)
>>>> I will keep playing, but if anyone has any suggestions for
>>>> non-proxy Zimbra
>>>> installs, I'd love to hear them.
>>>> --
>>>> Steve Hillman IT Architect
>>>> hillman@sfu.ca Institutional, Collaborative, & Academic
>>>> Technologies (ICAT)
>>>> 778-782-3960 Simon Fraser University
>>> --
>>> Xueshan Feng <sfeng@stanford.edu>
>>> Technical Lead, IT Services, Stanford University
>> --
>> Steve Hillman IT Architect
>> hillman@sfu.ca Institutional, Collaborative, & Academic Technologies
>> (ICAT)
>> 778-782-3960 Simon Fraser University
> --
> Magnus Morén________________________________________________
> IT-avdelningen, Högskolan i Halmstad,Box 823,301 18 HALMSTAD
> tel: 035-167383, mob: 070-2880544, epost: magnus.moren@hh.se
Will Froning
Information Security Manager
Office of the Vice Chancellor for Finance and Administration
American University of Sharjah
Tel +971 6 515 2124
Mob +971 50 737 1599
Fax +971 6 515 2120
PO Box 26666, Sharjah
United Arab Emirates