PRP: CVE-2019-9670 - Synacor Zimbra XXE #579
Labels
Contributor main
The main issue a contributor is working on (top of the contribution queue).
PRP:Accepted
Comments
|
You can work on this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi there,
I would like to implement a plugin to detect CVE-2019-9670, an XXE vulnerability affecting Synacor Zimbra Collaboration Suite.
It is worth to note that the vulnerability is the first step of a chain that uses another vulnerability (CVE-2019-9621) found in the same software in order to obtain an unauthenticated RCE.
Specifically, by using the XXE (CVE-2019-9670) it is possible to read a configuration file that contains an LDAP password for the zimbra account. The zimbra credentials are then used to get a user authentication cookie with an AuthRequest message. Using the user cookie, a SSRF (CVE-2019-9621) in the Proxy Servlet is used to proxy an AuthRequest with the zimbra credentials to the admin port to retrieve an admin cookie. After gaining an admin cookie the Client Upload servlet is used to upload a JSP webshell that can be triggered from the web server to get command execution on the host.
References:
https://nvd.nist.gov/vuln/detail/cve-2019-9670
https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html
https://blog.zimbra.com/2019/03/new-zimbra-8-7-11-patch-10/
https://attackerkb.com/topics/7bMNsBStux/zimbra-collaboration-suite-autodiscover-xxe/vuln-details
Thanks.
The text was updated successfully, but these errors were encountered: