Attacker managed to upload files into Web Client directory

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Attacker managed to upload files into Web Client directory

Post by barrydegraaff »

yes, we have posted it on the blog just now, and we will also send it out via the newsletter etc.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
ghen
Outstanding Member
Outstanding Member
Posts: 258
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium
ZCS/ZD Version: 9.0.0

Re: Attacker managed to upload files into Web Client directory

Post by ghen »

Barry

Would Zimbra consider (or support) running different components as different users, instead of running everything as "zimbra"?

This would prevent such cross-exploitation between different components on a single server, like from amavisd to mailboxd etc. There is no reason amavisd should be able to write in jetty webroot for example...
(I don't think the webroot should be writable at all btw, even for jetty itself, see ZBUG-2975.)

Large deployments can avoid this by running all components separately on dedicated servers, but this is not practical for small deployments (and even on large ones, Zimbra components are often co-hosted).
Started_how
Posts: 1
Joined: Wed Sep 14, 2022 12:40 pm

Re: Attacker managed to upload files into Web Client directory

Post by Started_how »

Can you link to publications on this topic?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Attacker managed to upload files into Web Client directory

Post by phoenix »

Started_how wrote:Can you link to publications on this topic?
The details have already been given in this thread and it's also been mentioned that there's a blog entry on the topic.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
sotruongdo
Posts: 1
Joined: Thu Sep 15, 2022 1:42 am

Re: Attacker managed to upload files into Web Client directory

Post by sotruongdo »

yeak wrote:
Klug wrote:@Yeak, which OS are you running?

pax is in the "prerequisites" of Zimbra with Ubuntu (see here: https://wiki.zimbra.com/wiki/Ubuntu_Upgrades)
I'm quite sure it is for RHEL/CentOS too.
Yes, CentOS 7.9.

Many of our setup use Minimal OS package then begin Zimbra installation. I will get my team to add pax immediately for all deployments.
Hi sir,
Can you send me a copy of the malicious file, i want to research it more, sorry the new account can't send private messages.
Thanks!
tinnh1
Posts: 2
Joined: Thu Sep 22, 2022 8:39 am

Re: Attacker managed to upload files into Web Client directory

Post by tinnh1 »

Hi @yeak, Can you send me a copy of the malicious file, i want to research it more, sorry the new account can't send private messages.
admin_erdemkiramer
Posts: 1
Joined: Wed Sep 28, 2022 2:54 pm

Re: Attacker managed to upload files into Web Client directory

Post by admin_erdemkiramer »

Hi, @yeak I represent the Turkish company Erdem Kiramer TR. We are very concerned about this vulnerability, since we use Zimbra in the company on Centos 7 OS :? . We tried to fix this problem, but we are not sure that everything has been fixed. Could you please email: journal@erdemkiramer.com us a sample file news.jpg to verify that the problem has been fixed?
isol
Posts: 16
Joined: Fri Jun 17, 2022 8:04 am

Re: Attacker managed to upload files into Web Client directory

Post by isol »

barrydegraaff wrote:yes, we have posted it on the blog just now, and we will also send it out via the newsletter etc.
we get no newsletter :( last Newsletter was 10.08.22 18:41 about the "Security Notification: Authentication Bypass in MailboxImportServlet vulnerability"

did you send a newsletter? we get no info, and the exploid is actively used.
robertvon
Posts: 21
Joined: Wed Sep 21, 2016 1:23 pm
ZCS/ZD Version: ZCS 8.8.15-P42 FOSS

Re: Attacker managed to upload files into Web Client directory

Post by robertvon »

Hi, we also get non newsletter.
Two of our server were exploited because of the vulnerability.
At this time AFAIK the attacker uploaded a malicious file called ZimbraBoot.jsp in /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp
which seems to be a shell.
If someone wants the file contact me
We continue our investigation on our systems

I'm sorry but: barrydegraaff no newsletter here nor other pieces of advise shame on Zimbra & Synacor
halfgaar
Advanced member
Advanced member
Posts: 171
Joined: Sat Sep 13, 2014 12:54 am
Location: Netherlands
ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
Contact:

Re: Attacker managed to upload files into Web Client directory

Post by halfgaar »

I also got no newsletter. I only just now got an e-mail from the team, labelled "Security Alert: Amavis and Pax".

When I just saw this forum post, I remembered actually getting an e-mail with a news.jpg without content. At the time, the thought of malicious content did run through my head (because there was no other angle to the mail), but I abandoned it. I was protected luckily, by having Ubuntu with Pax, and again by my webproxy shielding access to the HTTPS port of Zimbra.
Post Reply