Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2022-41352

Published: 26/09/2022 Updated: 01/02/2024
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Collaboration

Vulnerability Summary

An issue exists in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

zimbra collaboration 9.0.0

zimbra collaboration 8.8.15

Exploits

Exploit DB: Zimbra Collaboration Suite TAR Path Traversal
This Metasploit module creates a tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352 If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor The core vulnerability is a path-traversal issue in the cpio command-line utility that can extract an arbitrary file to an arbitrary loca ...
Exploit DB: TAR Path Traversal in Zimbra (CVE-2022-41352)
This module creates a tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352 If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor The core vulnerability is a path-traversal issue in the cpio command- line utlity that can extract an arbit ...

Metasploit Modules

TAR Path Traversal in Zimbra (CVE-2022-41352)

This module creates a .tar file that can be emailed to a Zimbra server to exploit CVE-2022-41352. If successful, it plants a JSP-based backdoor in the public web directory, then executes that backdoor. The core vulnerability is a path-traversal issue in the cpio command- line utlity that can extract an arbitrary file to an arbitrary location on a Linux system (CVE-2015-1197). Most Linux distros have chosen not to fix it. This issue is exploitable on Red Hat-based systems (and other hosts without pax installed) running versions: * Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier) * Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier) The patch simply makes "pax" a pre-requisite.

msf > use exploit/linux/http/zimbra_cpio_cve_2022_41352
msf exploit(zimbra_cpio_cve_2022_41352) > show targets
    ...targets...
msf exploit(zimbra_cpio_cve_2022_41352) > set TARGET < target-id >
msf exploit(zimbra_cpio_cve_2022_41352) > show options
    ...show and set options...
msf exploit(zimbra_cpio_cve_2022_41352) > exploit

Github Repositories

https://github.com/segfault-it/cve-2022-41352

cve-2022-41352 poc

cve-2022-41352 generate poctar $ chmod +x cpio_pocgenpy $ /cpio_pocgenpy show the middle finger to cpio $ cd /tmp $ mkdir -p poc/a/b copy poctar to /tmp/poc/a/b/ $ cd /tmp/poc/a/b/ $ cpio -i &lt; poctar $ ls -al / total 16 drwxrwxr-x 3 xabino xabino 4096 ott 10 14:56 drwxrwxr-x 3 xabino xabino 4096 ott 10 14:55 drwxrwxr

https://github.com/rxerium/CVE-2022-41352

Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability

CVE-2022-41352 PoC How does this detection method work? As stated on the advisories an issue was discovered in Zimbra Collaboration (ZCS) 8815 and 90, the template looks at the following versions: - "8815" - "90" How do I run this script? Download Nuclei from here Copy the template to your lo

https://github.com/miladshakerdn/zimbra_old

cpio pocgen

cve-2022-41352 generate poctar $ chmod +x zimbra_cpio_pocgenpy $ /cpio_pocgenpy show the middle finger to cpio $ cd /tmp $ mkdir -p poc/a/b copy poctar to /tmp/poc/a/b/ $ cd /tmp/poc/a/b/ $ cpio -i &lt; poctar $ ls -al / total 16 drwxrwxr-x 3 xabino xabino 4096 ott 10 14:56 drwxrwxr-x 3 xabino xabino 4096 ott 10 14:55 d

https://github.com/Cr4ckC4t/cve-2022-41352-zimbra-rce

Zimbra <9.0.0.p27 RCE

(CVE-2022-41352) Zimbra Unauthenticated RCE CVE-2022-41352 is an arbitrary file write vulnerability in Zimbra mail servers due to the use of a vulnerable cpio version CVE-2022-41352 (NISTgov) CVE-2022-41352 (Rapid7 Analysis) Affected Zimbra versions: Zimbra &lt;900p27 Zimbra &lt;8815p34 (Refer to the patch notes for more details) Remediation: In order to

Recent Articles

Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)
Securelist • GReAT • 13 Oct 2022

Overview On September 10, 2022, a user reported on Zimbra’s official forums that their team detected a security incident originating from a fully patched instance of Zimbra. The details they provided allowed Zimbra to confirm that an unknown vulnerability allowed attackers to upload arbitrary files to up-to-date servers. At the moment, Zimbra has released a patch and shared its installation steps. In addition, manual mitigation steps can be undertaken by system administrators to prevent succes...

Read more...

References

CWE-22https://wiki.zimbra.com/wiki/Zimbra_Security_Advisorieshttps://wiki.zimbra.com/wiki/Security_Centerhttps://forums.zimbra.org/viewtopic.php?t=71153&p=306532http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.htmlhttps://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild/https://nvd.nist.govhttps://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.htmlhttps://github.com/segfault-it/cve-2022-41352
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-1183hard-codedCVE-2024-28254CVE-2023-43790buffer overflowbypassCVE-2024-32633CVE-2024-1874CVE-2024-23558
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook