Zimbra suffers from a local file inclusion vulnerability that allows for privilege escalation.
2659a0a1825bb2dd6a41d50e5742d79152cff966d71b0b2cf147ea01d1e3ecdbThis Metasploit module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions Zimbra Collaboration Suite 9.0.0 Patch 26 and below and Zimbra Collaboration Suite 8.8.15 Patch 33 and below.
ce92bc8cd0b896bbf1bbebcee5677a9a8619813aaba32b6be0cfc98fba18d5b5This Metasploit module exploits a vulnerable sudo configuration that permits the Zimbra user to execute postfix as root. In turn, postfix can execute arbitrary shellscripts, which means it can execute a root shell.
60ec0dcab5b58dbebac7ed6c99c5cf1fb52f76e5b1a5f3723089e823fc252948This Metasploit module POSTs a ZIP file containing path traversal characters to the administrator interface for Zimbra Collaboration Suite. If successful, it plants a JSP-based backdoor within the web directory, then executes it. The core vulnerability is a path traversal issue in Zimbra Collaboration Suite's ZIP implementation that can result in the extraction of an arbitrary file to an arbitrary location on the host. This issue is exploitable on Zimbra Collaboration Suite Network Edition versions 9.0.0 Patch 23 and below as well as Zimbra Collaboration Suite Network Edition versions 8.8.15 Patch 30 and below.
d58f4c7d7dbb0ee3b34e5a5a98ecaa59aa1118d324973a875b3ee85a53d569d4This Metasploit module exploits CVE-2022-37393, which is a vulnerability in Zimbra's sudo configuration that permits the zimbra user to execute the zmslapd binary as root with arbitrary parameters. As part of its intended functionality, zmslapd can load a user-defined configuration file, which includes plugins in the form of .so files, which also execute as root.
1f2fa01d64e190544e661f442158ebf1f08cb719c08299334a3fc484cc386cd2This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.
ca0f5b8e2038241415fba603b901534752f2529d4c8d1c1134f97e76d1935fefZimbra versions prior to 8.8.1 suffer from XML external entity injection and server-side request forgery vulnerabilities.
5f571a6a39f531a4a48af566d93ea2aaaffc8482dbc9a55720ab00c474665b7fThis Metasploit module exploits an XML external entity vulnerability and a server side request forgery to get unauthenticated code execution on Zimbra Collaboration Suite. The XML external entity vulnerability in the Autodiscover Servlet is used to read a Zimbra configuration file that contains an LDAP password for the zimbra account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a server side request forgery in the Proxy Servlet is used to proxy an AuthRequest with the zimbra credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the Client Upload servlet is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host. The issues reportedly affect Zimbra Collaboration Suite v8.5 to v8.7.11. This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64 UBUNTU16_64 FOSS edition.
811a4794f58646f39b0ef372b6e8f37324c45d3730bba6e1b7ae12049671f517Zimbra Collaboration versions prior to 8.8.11 suffer from multiple cross site scripting vulnerabilities.
340817ae0c4914371a3c4ee32c11d7a57a8ec9af6a02b7f0421ea60f244140d3Zimbra version 8.6.0_GA_1153 build 20141215151110 suffers from a cross site scripting vulnerability.
d898daadf582a38f3d9ad96d88ffd82042540818e7916f7cfa0ad3420b97b593Zimbra Collaboration Suite version 8.7.11_GA_1854 suffers from a cross site scripting vulnerability.
099f87fddf07da704f9a67a7b4979ce0266914e76497434c8d04de08bbcff92aZimbra Collaboration Suite suffers from a stored cross site scripting vulnerability.
8ea1a03a00eab878b2a7f5d03ce28e7d1814483b6a385bf2eceb87b2f4a48b0fZimbra versions prior to 8.7 suffer from cross site request forgery vulnerabilities in the administrative interface.
d6689d77ee727b28e003d53bf04a4ea2dd4a9bd53747584c37e1020955d450ecZimbra versions 8.0.9 GA and below suffer from a cross site request forgery vulnerability.
0da0fe882cf7354bdf4be9e8dafb2bb44b40c75b431e52698d358584cb94db05This Metasploit module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an authentication token for the admin web interface. This access can be used to achieve remote code execution. This Metasploit module has been tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04.
e41cf490ab9469ce31ade3e3bc8198d90c941e76e3bd760f92078a0dc9e99472Zimbra suffers from a cross site scripting vulnerability.
b534530689f785692a60731e55dc74aaf1a602ded07a74607fd4cce8d34e831c
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed