frack113
38 lines
1.2 KiB
YAML
38 lines
1.2 KiB
YAML
title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
|
|
id: dd218fb6-4d02-42dc-85f0-a0a376072efd
|
|
status: experimental
|
|
description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
|
|
references:
|
|
- https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
|
|
- https://www.yang99.top/index.php/archives/82/
|
|
- https://github.com/vnhacker1337/CVE-2022-27925-PoC
|
|
author: '@gott_cyber'
|
|
date: 2022/08/17
|
|
modified: 2023/01/02
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
- cve.2022.27925
|
|
logsource:
|
|
category: webserver
|
|
detection:
|
|
selection_servlet:
|
|
cs-method: 'POST'
|
|
cs-uri-query|contains: '/service/extension/backup/mboximport\?'
|
|
cs-uri-query|contains|all:
|
|
- 'account-name'
|
|
- 'ow'
|
|
- 'no-switch'
|
|
- 'append'
|
|
sc-status:
|
|
- 401
|
|
- 200
|
|
selection_shell:
|
|
cs-uri-query|contains: '/zimbraAdmin/'
|
|
cs-uri-query|endswith: '.jsp'
|
|
sc-status|contains: '200'
|
|
condition: selection_servlet or selection_shell
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|