Categories: exploit, vuln, intrusive
A 0 day was been released on the 6th december 2013 by rubina119, and was patched in Zimbra 7.2.6.
The vulnerability is a local file inclusion that can retrieve any file from the server.
Currently, we read /etc/passwd and /dev/null, and compare the lengths to determine vulnerability.
TODO: Add the possibility to read compressed file. Then, send some payload to create the new mail account.
URI. Default: /zimbra
http.max-cache-size, http.max-pipeline, http.pipeline, http.useragentSee the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
vulns.showallSee the documentation for the vulns library.
unittest.runSee the documentation for the unittest library.
nmap -sV --script http-vuln-0-day-lfi-zimbra <target> nmap -p80 --script http-vuln-0-day-lfi-zimbra --script-args http-vuln-0-day-lfi-zimbra=/ZimBra <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-0-day-lfi-zimbra: | VULNERABLE: | Zimbra Local File Inclusion and Disclosure of Credentials | State: VULNERABLE (Exploitable) | IDs: None, 0-day | Description: | A 0 day has been released on the 6th december 2013 by rubina119. | The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc. | Using this script, we can detect if the file is present. | If the file is present, we assume that the host might be vulnerable. | | In future version, we'll extract credentials from the file but it's not implemented yet and | the detection will be accurate. | | TODO: | Add the possibility to read compressed file (because we're only looking if it exists) | Then, send some payload to create the new mail account | Disclosure date: 2013-06-12 | Extra information: | Proof of Concept:/index.php?-s | References: |_ http://www.exploit-db.com/exploits/30085/
Author: Paul AMAR <email@example.com>, Ron Bowes
License: Same as Nmap--See http://nmap.org/book/man-legal.html