Making sense of Zimbra

On April 20th, 2022, NVD published CVE-2022-27925, a vulnerability in Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 that allowed an authenticated user with administrator rights to upload arbitrary files to the system, leading to directory traversal.

On August 10th, 2022, Volexity published a blog investigating CVE-2022-27925 and announcing their discovery of an authentication bypass. This bug was a result of an incomplete fix for CVE-2022-27925.

On August 12th, 2022, NVD published Volexity’s authentication bypass as CVE-2022-37042.

Attackers can chain CVE-2022-37042 and CVE-2022-27925 to bypass authentication and upload arbitrary files such as web shells, leading to remote code execution. As of August 18th, 2022, GreyNoise has observed these two exploits in the wild with varying parameters appended to their POST paths:

Images showing POST paths used for exploiting CVE-2022-37042 and CVE-2022-27925

At this time, GreyNoise has not validated which parameters are required for exploitation.

Most of these POST attempts contain a zip archive starting with the bytes “PK” (\x50\x4B) that deploys a JSP web shell to the following path:

These JSP files act as a backdoor that attackers can later access for remote code execution.

GreyNoise has observed two different JSP payloads. The first is a generic web shell that allows arbitrary command execution:

Generic web shell allowing arbitrary command execution

The second appears to only log the string “NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu” and delete itself: 

Logging the string “NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu” followed by deletion

The following PoC produces a request similar to the one observed by GreyNoise:
https://github.com/GreyNoise-Intelligence/Zimbra_CVE-2022-37042-_CVE-2022-27925

GreyNoise tags for tracking and blocking this activity are live and available to all users: