Attacker managed to upload files into Web Client directory
- barrydegraaff
- Zimbra Employee
- Posts: 242
- Joined: Tue Jun 17, 2014 3:31 am
- Contact:
Re: Attacker managed to upload files into Web Client directory
yes, we have posted it on the blog just now, and we will also send it out via the newsletter etc.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
-
- Outstanding Member
- Posts: 264
- Joined: Thu May 12, 2016 1:56 pm
- Location: Belgium
- ZCS/ZD Version: 9.0.0
Re: Attacker managed to upload files into Web Client directory
Barry
Would Zimbra consider (or support) running different components as different users, instead of running everything as "zimbra"?
This would prevent such cross-exploitation between different components on a single server, like from amavisd to mailboxd etc. There is no reason amavisd should be able to write in jetty webroot for example...
(I don't think the webroot should be writable at all btw, even for jetty itself, see ZBUG-2975.)
Large deployments can avoid this by running all components separately on dedicated servers, but this is not practical for small deployments (and even on large ones, Zimbra components are often co-hosted).
Would Zimbra consider (or support) running different components as different users, instead of running everything as "zimbra"?
This would prevent such cross-exploitation between different components on a single server, like from amavisd to mailboxd etc. There is no reason amavisd should be able to write in jetty webroot for example...
(I don't think the webroot should be writable at all btw, even for jetty itself, see ZBUG-2975.)
Large deployments can avoid this by running all components separately on dedicated servers, but this is not practical for small deployments (and even on large ones, Zimbra components are often co-hosted).
-
- Posts: 1
- Joined: Wed Sep 14, 2022 12:40 pm
Re: Attacker managed to upload files into Web Client directory
Can you link to publications on this topic?
Re: Attacker managed to upload files into Web Client directory
The details have already been given in this thread and it's also been mentioned that there's a blog entry on the topic.Started_how wrote:Can you link to publications on this topic?
-
- Posts: 1
- Joined: Thu Sep 15, 2022 1:42 am
Re: Attacker managed to upload files into Web Client directory
Hi sir,yeak wrote:Yes, CentOS 7.9.Klug wrote:@Yeak, which OS are you running?
pax is in the "prerequisites" of Zimbra with Ubuntu (see here: https://wiki.zimbra.com/wiki/Ubuntu_Upgrades)
I'm quite sure it is for RHEL/CentOS too.
Many of our setup use Minimal OS package then begin Zimbra installation. I will get my team to add pax immediately for all deployments.
Can you send me a copy of the malicious file, i want to research it more, sorry the new account can't send private messages.
Thanks!
Re: Attacker managed to upload files into Web Client directory
Hi @yeak, Can you send me a copy of the malicious file, i want to research it more, sorry the new account can't send private messages.
-
- Posts: 1
- Joined: Wed Sep 28, 2022 2:54 pm
Re: Attacker managed to upload files into Web Client directory
Hi, @yeak I represent the Turkish company Erdem Kiramer TR. We are very concerned about this vulnerability, since we use Zimbra in the company on Centos 7 OS . We tried to fix this problem, but we are not sure that everything has been fixed. Could you please email: journal@erdemkiramer.com us a sample file news.jpg to verify that the problem has been fixed?
Re: Attacker managed to upload files into Web Client directory
we get no newsletter last Newsletter was 10.08.22 18:41 about the "Security Notification: Authentication Bypass in MailboxImportServlet vulnerability"barrydegraaff wrote:yes, we have posted it on the blog just now, and we will also send it out via the newsletter etc.
did you send a newsletter? we get no info, and the exploid is actively used.
Re: Attacker managed to upload files into Web Client directory
Hi, we also get non newsletter.
Two of our server were exploited because of the vulnerability.
At this time AFAIK the attacker uploaded a malicious file called ZimbraBoot.jsp in /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp
which seems to be a shell.
If someone wants the file contact me
We continue our investigation on our systems
I'm sorry but: barrydegraaff no newsletter here nor other pieces of advise shame on Zimbra & Synacor
Two of our server were exploited because of the vulnerability.
At this time AFAIK the attacker uploaded a malicious file called ZimbraBoot.jsp in /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp
which seems to be a shell.
If someone wants the file contact me
We continue our investigation on our systems
I'm sorry but: barrydegraaff no newsletter here nor other pieces of advise shame on Zimbra & Synacor
-
- Advanced member
- Posts: 173
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: Attacker managed to upload files into Web Client directory
I also got no newsletter. I only just now got an e-mail from the team, labelled "Security Alert: Amavis and Pax".
When I just saw this forum post, I remembered actually getting an e-mail with a news.jpg without content. At the time, the thought of malicious content did run through my head (because there was no other angle to the mail), but I abandoned it. I was protected luckily, by having Ubuntu with Pax, and again by my webproxy shielding access to the HTTPS port of Zimbra.
When I just saw this forum post, I remembered actually getting an e-mail with a news.jpg without content. At the time, the thought of malicious content did run through my head (because there was no other angle to the mail), but I abandoned it. I was protected luckily, by having Ubuntu with Pax, and again by my webproxy shielding access to the HTTPS port of Zimbra.