I'm working on an issue relative to CBPolicyd under specific condition. Basically if you credentials are stolen but you have 2FA active on you account, a SendMsgRequest is possibile, even returning error.
The problem is that CBPolicyd sees it as authenticated relay mail (from outside to outside) and with saslUsername="". It is a "mixed" condition, it should be seen as outbound mail (from inside to outside) with saslUsername="".
We reconducted that problem to the incomplete authentication, when a SendMsgRequest is made only with the main credential but not with the 2FA.
For testing it I'm tryin to reproduce the attack with curl on a test environment.
I'm able to reproduce the authentication but can't make it with the SendMsgRequest (for now without 2FA)
curl -d @/tmp/auth.xml http://zimbra.mydomain.com/service/soap
where /tmp/auth.xml contains:
Code: Select all
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<session format="DEFAULT"/>
<userAgent name="zclient" version="9.0.0_GA_3962"/>
<authTokenControl voidOnExpired="0"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest deviceTrusted="0" csrfTokenSecured="1" xmlns="urn:zimbraAccount">
<account by="name">username@mydomain.com</account>
<password>myPassword</password>
<prefs/>
<attrs/>
</AuthRequest>
</soap:Body>
</soap:Envelope>
Code: Select all
[...]
<authToken>0_88b86d36d527cdf6c253186772dac07d059538f4_69643d33363a32663862653733332d303533352d343739302d393162322d6634643738356466333466303b6578703d31333a313630313633313634363132323b747970653d363a7a696d6272613b753d313a613b7469643d31303a313139303338353433313b76657273696f6e3d31333a392e302e305f47415f333932343b637372663d313a313b</authToken>
[...]
This is how i try to send:
curl -d @/tmp/send.xml http://zimbra.mydomain.com/service/soap
where /tmp/send.xml contains:
Code: Select all
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="zclient" version="9.0.0_GA_3962"/>
<authToken>0_88b86d36d527cdf6c253186772dac07d059538f4_69643d33363a32663862653733332d303533352d343739302d393162322d6634643738356466333466303b6578703d31333a313630313633313634363132323b747970653d363a7a696d6272613b753d313a613b7469643d31303a313139303338353433313b76657273696f6e3d31333a392e302e305f47415f333932343b637372663d313a313b</authToken>
<session id="14">14</session>
</context>
</soap:Header>
<soap:Body>
<SendMsgRequest >
<m f="username@mydomain.com" >
<e t="t" a="recipient@anotherdomain.com" p="recipyent" add="1" />
<su>test</su>
<mp ct="text/html">
<content>\u003Chtml\u003E\u003Cbody\u003E\u003Cdiv style=\"font-family: arial, helvetica, sans-serif; font-size: 12pt; color: #000000\"\u003E\u003Cdiv\u003Etest\u003C/div\u003E\u003C/div\u003E\u003C/body\u003E\u003C/html\u003E</content>
</mp>
</m>
</SendMsgRequest>
</soap:Body>
</soap:Envelope>
Code: Select all
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<change token="580"/>
</context>
</soap:Header>
<soap:Body>
<soap:Fault>
<soap:Code>
<soap:Value>soap:Sender</soap:Value>
</soap:Code>
<soap:Reason>
<soap:Text>unknown document: SendMsgRequest</soap:Text>
</soap:Reason>
<soap:Detail>
<Error xmlns="urn:zimbra">
<Code>service.UNKNOWN_DOCUMENT</Code>
<Trace>qtp366590980-38458:1601888748834:5dedb18acd85b479</Trace>
</Error>
</soap:Detail>
</soap:Fault>
</soap:Body>
</soap:Envelope>
The content is taken from a mailbox.log in which i've added an account logger to an user to see the soap content of the calls.
Can someone point me on the right way to compile the xml, i'm totally newbie about it?
The api reference is at the same time complete but even confusionary for these simple things