Categories: exploit, vuln, intrusive
An 0 day was released on the 6th December 2013 by rubina119, and was patched in Zimbra 7.2.6.
The vulnerability is a local file inclusion that can retrieve any file from the server.
Currently, we read /etc/passwd and /dev/null, and compare the lengths to determine vulnerability.
TODO: Add the possibility to read compressed file. Then, send some payload to create the new mail account.
URI. Default: /zimbra
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
- vulns.short, vulns.showall
See the documentation for the vulns library.
nmap -sV --script http-vuln-cve2013-7091 <target> nmap -p80 --script http-vuln-cve2013-7091 --script-args http-vuln-cve2013-7091=/ZimBra <target>
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-vuln-cve2013-7091: | VULNERABLE: | Zimbra Local File Inclusion and Disclosure of Credentials | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2013-7091 | Description: | An 0 day was released on the 6th December 2013 by rubina119. | The vulnerability is a local file inclusion that can retrieve the credentials of the Zimbra installations etc. | Using this script, we can detect if the file is present. | If the file is present, we assume that the host might be vulnerable. | | In future version, we'll extract credentials from the file but it's not implemented yet and | the detection will be accurate. | | TODO: | Add the possibility to read compressed file (because we're only looking if it exists) | Then, send some payload to create the new mail account | Disclosure date: 2013-12-06 | Extra information: | Proof of Concept:/index.php?-s | References: |_ http://www.exploit-db.com/exploits/30085/
License: Same as Nmap--See https://nmap.org/book/man-legal.html