[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zimbra zero-day exploit

Steve,

Shouldn't 7071 only open to some internal network/bastion host? The quick fix probably is to tighten up the port 7071 access.

I also tried to run the code on a system that has access to a test ZCS 8.0.5 server's port 7071.  

ruby run.rb -t testserver  -u someuser -p Test123_23

#########################################################################################
Zimbra Email Collaboration Server 0day Exploit by rubina119
#########################################################################################


[+] Looking if host is vuln...


The test server's log shows:

013-12-08 14:21:04,832 INFO  [qtp1649104388-754965:https://127.0.0.1:7071/service/admin/soap/GetDomainInfoRequest] [ip=127.0.0.1;ua=ZCS/8.0.5_GA_5839;] soap - GetDomainInfoRequest elapsed=2
2013-12-08 14:21:04,836 WARN  [qtp1649104388-754964:https://171.67.219.153:7071/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00] [] misc - Rejecting request containing null character in query string


So the request was rejected. What version of ZCS are affected by this? 

Xueshan

----- Original Message -----
> Hi folks,
> A zero day exploit for Zimbra was released on Friday. I found out about it
> late last night and spent the night trying to come up with a temporary
> workaround. The details of the exploit are here:
> http://www.exploit-db.com/exploits/30085/ . Basically anyone, through a
> simple URL, can gain access to your site's localconfig.xml file which has
> all your Zimbra system passwords. From there they can create an admin-level
> account and, if port 7071 is exposed, login to the admin console.
> 
> 
> My workaround involves adding a rewrite rule to nginx to look for localconfig
> being passed in as an argument and block it. To implement, in
> /opt/zimbra/conf/nginx/templates, edit nginx.conf.web.http.default.template
> and nginx.conf.web.https.default.template and insert this inside the
> 'location' block before the 'include' statement:
> 
> 
> 
> if ($args ~ skin=.*localconfig) {
> rewrite ^/.* / redirect;
> }
> 
> 
> This is a brute force rewrite and will actually create a redirect loop
> because it doesn't actually replace the args upon doing the redirect, so the
> URL will still match. If you're more well versed in nginx config than I am,
> feel free to refine it.
> 
> 
> Unfortunately this workaround won't work for a single-server install that's
> not using the zimbra-proxy package. I've been messing around trying to add a
> rewrite rule to jetty.xml.in but that doesn't appear to work as the rewrite
> rule can't see the arguments - only the URL after the arguments have been
> stripped off. My only other alternative is to install and configure the
> proxy package on the existing server (which involves messing with SSL certs
> and such)
> 
> 
> I will keep playing, but if anyone has any suggestions for non-proxy Zimbra
> installs, I'd love to hear them.
> 
> --
> 
> Steve Hillman IT Architect
> hillman@sfu.ca Institutional, Collaborative, & Academic Technologies (ICAT)
> 778-782-3960 Simon Fraser University
> 
> 

-- 

Xueshan Feng <sfeng@stanford.edu>
Technical Lead, IT Services, Stanford University