Reported XSS in zimbra publicly disclosed 3rd

[JDunphy]

I don't know if this helps anyone. I won't be able to do my updates until later so wrote this quickly this morning to give us some more time here. For others, waiting for the official patch is probably more prudent.

What the script does:

0) it needs to run as root because it does a chown zimbra, chmod and zmprov as the zimbra user but it could be all done by zimbra user if you fix that in the script.
1) it backups the original 2 files
2) it patches a few lines to escape some input
3) it flushes the cache (no mailboxd restart is necessary) after running script so you are done

I also had requested the hot fix today and it just came in as I am writing this. I was able to do a diff with that and what my script generated and it appears identical. I claim no understanding of the zimbra code but I can read diff output for the patches.

It might be useful to someone in a similar situation.

Code: Select all

% cat /tmp/xss-zeroDay.sh 
#!/bin/sh 
#
# Run as root.
#   will flush the cache so no mailboxd restart is necessary.
#   will only patch once
# 
# patch XSS zero day ZBUG-2642 on Feb 4, 2022 as documented here: 
#   https://forums.zimbra.org/viewtopic.php?f=15&t=70382
# patched pulled from here (Jholder):
#   https://github.com/Zimbra/zm-web-client/pull/672/commits/76c23a937d2ab40cdfafad1d7a3546bfbf354704
#

multiDay=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
grep escapeXml $multiDay | grep -q newAppt
if [ $? -eq 1 ]; then
   # backup of original
   cp $multiDay $multiDay.bak

   echo "Appying patch to $multiDay"

# 
# Want to do this:
#     a href="${newAppt}"  
# to
#     a href="${fn:escapeXml(newAppt)}"
#
perl - $multiDay <<'__HERE__' > $multiDay.out
my $match_str = quotemeta('href="${newAppt}');
my $replace_str = 'href="${fn:escapeXml(newAppt)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $multiDay.out ]; then
      mv $multiDay.out $multiDay 
      chown zimbra:zimbra $multiDay
      chmod 644 $multiDay
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc -a all"
   fi

else
  echo "nothing to patch"
fi

# -------- monthView.tag --------------
monthView=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag
grep monthZoomUrl $monthView | grep escapeXml | grep -q dayClick
if [ $? -eq 1 ]; then
   # backup of original
   cp $monthView $monthView.bak

   echo "Appying patch to $monthView"

# 
# Want to do this:
#    ${monthZoomUrl}
# to
#    ${fn:escapeXml(monthZoomUrl)}
perl - $monthView <<'__HERE__' > $monthView.out
my $match_str = quotemeta('${monthZoomUrl}');
my $replace_str = '${fn:escapeXml(monthZoomUrl)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $monthView.out ]; then
      mv $monthView.out $monthView 
      chown zimbra:zimbra $monthView
      chmod 644 $monthView
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc -a all"
   fi

else
  echo "nothing to patch"
fi

I feel a little uneasy of putting the patch in this format and will take no offense if the board moderators remove this post.

Jim

[oetiker]

apt-get upgrade gets some new patches from zimbra.
thats probably the fix for the XSS

Get:1 https://repo.zimbra.com/apt/8815 bionic/zimbra amd64 zimbra-mbox-webclient-war amd64 8.8.15.1643976867-1.u18 [21.7 MB]
Get:2 https://repo.zimbra.com/apt/8815 bionic/zimbra amd64 zimbra-patch amd64 8.8.15.1643980846.p30-1.u18 [32.2 MB]

If received two files from the zimbra support

monthView.tag
multiDay.tag

that's the difference to the latest release without the above patches applied... after the apply there is no difference ...

Code: Select all

# diff /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag /local-home/moetiker_adm/monthView.tag 
127c127
<                                     <td width="11%" onclick='javascript:dayClick(event, "${monthZoomUrl}");' class='ZhCalMonthDay${currentDay.timeInMillis eq date.timeInMillis ? 'Selected':''}'>
---
>                                     <td width="11%" onclick='javascript:dayClick(event, "${fn:escapeXml(monthZoomUrl)}");' class='ZhCalMonthDay${currentDay.timeInMillis eq date.timeInMillis ? 'Selected':''}'>

Code: Select all

# diff /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag /local-home/moetiker_adm/multiDay.tag
294c294
<                                 <c:if test="${not print}"><a href="${newAppt}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
---
>                                 <c:if test="${not print}"><a href="${fn:escapeXml(newAppt)}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
453c453
<                             <c:if test="${not print}"><a href="${newAppt}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>
---
>                             <c:if test="${not print}"><a href="${fn:escapeXml(newAppt)}"></c:if><fmt:formatDate value="${row.date}" type="time" timeStyle="short"/>

[andreaswolske]

Good Morning

I can confirm that as of now (12:20 AM CET) the current patches provided by Zimbra contain the fixes for

Code: Select all

/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag

for Versions 8.8.15 and 9. It's the same changes as in https://github.com/Zimbra/zm-web-client ... bfbf354704

Also Jim Dunphy's Script: viewtopic.php?f=15&t=70382&start=20#p303866 works for outdated 8.7.11 or 8.8.12 installations as well.
You just have to replace the files which are to be found in /opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/
Thank you very much Jim. You've made my day!

If this helps anyone. Here's my modification of Jims Script to apply the patch on older versions of ZCS (8.7.11):

Code: Select all

#!/bin/bash
#
# Run as root.
#   will flush the cache so no mailboxd restart is necessary.
#   will only patch once
#
# patch XSS zero day ZBUG-2642 on Feb 4, 2022 as documented here:
#   https://forums.zimbra.org/viewtopic.php?f=15&t=70382
#
# patched pulled from here (Jholder):
#   https://github.com/Zimbra/zm-web-client/pull/672/commits/76c23a937d2ab40cdfafad1d7a3546bfbf354704
#
# - it needs to run as root because it does a chown zimbra, chmod and zmprov as the zimbra user but it could be all done by zimbra user if you fix that in the script.
# - it backups the original 2 files
# - it patches a few lines to escape some input
# - it flushes the cache (no mailboxd restart is necessary) after running script so you are done
#
# affected files in ZCS 8.8.15 and 9.: 
#
# /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
# /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag
#
# affected files in ZCS 8.7.11: 
# 
# /opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag
# /opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag
#

# Run as root

clear

[ "$USER" == "root" ] || { echo "Run me as the root user" ; exit 1; }

# -------- multiDay.tag --------------

# ZCS 8.7.11
multiDay=/opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag

# ZCS 8.8.15
# multiDay=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/multiDay.tag



grep escapeXml $multiDay | grep -q newAppt

if [ $? -eq 1 ]; then
   # backup of original
   cp $multiDay $multiDay.bak

   echo "Appying patch to $multiDay"

#
# Want to do this:
#     a href="${newAppt}" 
# to
#     a href="${fn:escapeXml(newAppt)}"
#

perl - $multiDay <<'__HERE__' > $multiDay.out
my $match_str = quotemeta('href="${newAppt}');
my $replace_str = 'href="${fn:escapeXml(newAppt)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $multiDay.out ]; then
      mv $multiDay.out $multiDay
      chown zimbra:zimbra $multiDay
      chmod 644 $multiDay
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc all"
   fi

else
  echo "nothing to patch"
fi

# -------- monthView.tag --------------

# ZCS 8.7.11
monthView=/opt/zimbra/jetty/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag

# ZCS 8.8.15
# monthView=/opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/tags/calendar/monthView.tag

grep monthZoomUrl $monthView | grep escapeXml | grep -q dayClick

if [ $? -eq 1 ]; then

   # backup of original
   cp $monthView $monthView.bak

   echo "Appying patch to $monthView"

#
# Want to do this:
#    ${monthZoomUrl}
# to
#    ${fn:escapeXml(monthZoomUrl)}
#

perl - $monthView <<'__HERE__' > $monthView.out
my $match_str = quotemeta('${monthZoomUrl}');
my $replace_str = '${fn:escapeXml(monthZoomUrl)}';
while (<>) {
      s/$match_str/$replace_str/g;
      print $_;
}
__HERE__

   #
   if [ -s $monthView.out ]; then
      mv $monthView.out $monthView
      chown zimbra:zimbra $monthView
       chmod 644 $monthView
      echo "flushing cache... no mailbox restart required"
      su - zimbra -c "zmprov fc all"
   fi

else
  echo "nothing to patch"
fi

#
# EOF
#

[ghen]

Looks like the attack can somehow circumvent Zimbra's CRSF tokens, which they implement exactly to prevent this kind of XSS attacks...

There is a little wiggle room on the definition of cross site. In this particular instance, it's not actually a cross site attack. The link comes from a specially crafted link in the email, which is on the site. That JS can then do bad things to transmit to a remote source. It's called XSS because the request goes outbound to another site. It's about 50% javascript injection and 50% cross site. So CSRF doesn't flag it.

Thanks John, this is helpful.

One more question on this and the Secure HTTP headers: could a CSP (Content Security Policy) have helped here? As I understand it, in theory CSP can prevent such Javascript injection, however the classic Zimbra UI in 8.8.15 makes heavy use of inline javascript - which CSP discourages - so you would unfortunately not be able to deploy a very strict policy on Zimbra.

CSP has been requested by customers for many years (eg. in the bugtracker and here on the forum), but has not been provided so far. The Security wiki mentions the topic, but does not provide an actual policy either.

[jeastman]

The Security wiki mentions the topic, but does not provide an actual policy either.

Thank you ghen for pointing this out. I will see if I can at least get better steps and maybe some examples added to that.

[rainer_d]

So, the current incarnation of P30 is the one to install, the "real" fix will be P31?

Or will you re-roll P30 once more?

I only heard of this on Saturday evening, via the mail I got from the blog....

[jholder]

So, the current incarnation of P30 is the one to install, the "real" fix will be P31?

Or will you re-roll P30 once more?

I only heard of this on Saturday evening, via the mail I got from the blog....

The patch itself was updated with the changes. So if you've already installed the patch, then using the reinstall switch from your package manager for the package name zimbra-patch will install the updated P30.
P31 will also include this particular fix. If there's any issue, you may use the above script to fix the particular files without patch 30.

[ghen]

I think this will cause confusion, as there's now both a vulnerable P30 and a fixed one. The original report said 8.8.15 P30 is vulnerable, what will the upcoming CVE refer to, 8.8.15 P30 as vulnerable or fixed? Better just call this P31 ?

[oetiker]

Hi

there is still missing a “official” Announcement from Zimbra ... about the XSS bug ...

I think that's not how it should be .... !

[maxxer]

The files mentioned in the patches do exist in 9.0 NE.