Results 1 to 2 of 2

Thread: Security Guidance for reported "0day Exploit"

  1. #1
    tonster is online now Zimbra Employee
    Join Date
    Dec 2007
    Ypsilanti, MI
    Rep Power

    Default Security Guidance for reported "0day Exploit"

    A reportedly "0day Exploit" was posted on Twitter on Friday, December 06, 2013. However, please note - Zimbra has previously released a fix for this Security bug.

    Release Info:
    This vulnerability was identified in Feb 2013, and a fix released by Zimbra in Feb 2013. The bug number was the following (note: it is locked, so the full details are not currently public):

    Vulnerability about skin/branding feature, sensitive information can be retrieved
    Access Denied
    Fixed: 7.2.2 Patch 2, 7.2.3, 8.0.2 Patch 1, 8.0.3

    A notification for this issue was published to the Zimbra Support Portal on Feb 26, 2013:
    Also, a notification was included in these Release Notes:

    8.0.2 Patch 1: - February 19, 2013: Patch 8.0.2 P1 patch fixes the following bug: Bug 80338 Security Fix
    7.2.2 Patch 2: - February 19, 2013: Patch 7.2.2 P2 patch fixes the following bug: Bug 80338 Security Fix

    ZCS7 Customers:
    ZCS7 Customers should upgrade to 7.2.2 Patch 2 or later (7.2.5 is the latest, and 7.2.6 will be released in the near future). Customers running these versions should not be vulnerable.

    ZCS8 Customers:
    ZCS8 Customers should upgrade to 8.0.2 Patch 1 or later (8.0.5 is the latest, and 8.0.6 will be released in the near future). Customers running these versions should not be vulnerable.

    If using Nginx or other proxy, you could use a configuration like the following to some effect:

    You need to add the below 3 lines to

    if ($request_uri ~ "\.\.") {
    return 404;
    if ($request_uri ~ "\%2[eE]\%2[eE]") {
    return 404;

    Then run:

    $ zmproxyconfgen
    $ zmproxyctl restart

    Published Exploit:

    Originally posted to Twitter:

    Zimbra - 0day exploit / Privilegie escalation via LFI

    # Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
    # Date: 06 Dec 2013
    # Exploit Author: rubina119
    # Contact Email : rubina119[at]
    # Vendor Homepage: Zimbra offers Open Source email server software and shared calendar for Linux and the Mac.
    # Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
    # Tested on: Centos(x), Ubunutu.
    # CVE : No CVE, no patch just 0Day
    # State : Critical

    # Mirror:


    This script exploits a Local File Inclusion in
    /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz
    which allows us to see localconfig.xml
    that contains LDAP root credentials wich allow us to make requests in
    /service/admin/soap API with the stolen LDAP credentials to create user
    with administration privlegies
    and gain acces to the Administration Console.

    LFI is located at :
    /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

    Example :,ZmKeys,Zd...


    Before use this exploit, target server must have admin console port open
    "7071" otherwise it won't work.

    use the exploit like this :
    ruby run.rb -t -u someuser -p Test123_23
    [*] Looking if host is vuln....
    [+] Host is vuln exploiting...
    [+] Obtaining Domain Name
    [+] Creating Account
    [+] Elevating Privileges
    [+] Login Credentials[*] Login URL :[*] Account :[*] Password : Test123_23
    [+] Successfully Exploited !

    The number of servers vuln are huge like 80/100.
    This is only for educational purpouses. (sic)

  2. #2
    thom is offline Zimbra Employee
    Join Date
    Apr 2008
    Rep Power


    Note: there is some additional information here on Investigating and Securing Systems at risk of this exploit:

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Java exploit reported today
    By bmw in forum Community News
    Replies: 0
    Last Post: 01-11-2013, 12:36 PM
  2. Replies: 30
    Last Post: 12-09-2010, 05:25 AM
  3. Replies: 0
    Last Post: 01-20-2008, 01:42 PM
  4. Replies: 2
    Last Post: 01-06-2008, 09:49 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts