Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-41352 PoC — Zimbra Collaboration Suite 路径遍历漏洞

Source
https://github.com/Cr4ckC4t/cve-2022-41352-zimbra-rce
Associated Vulnerability
Title:Zimbra Collaboration Suite 路径遍历漏洞 (CVE-2022-41352)
Description:An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Description
Zimbra <9.0.0.p27 RCE
Readme
# (CVE-2022-41352) Zimbra Unauthenticated RCE

> CVE-2022-41352 is an arbitrary file write vulnerability in Zimbra mail servers due to the use of a vulnerable `cpio` version.

- [CVE-2022-41352 (NIST.gov)](https://nvd.nist.gov/vuln/detail/CVE-2022-41352)
- [CVE-2022-41352 (Rapid7 Analysis)](https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis)

**Affected [Zimbra versions](https://wiki.zimbra.com/wiki/Zimbra_Releases):**
- Zimbra <9.0.0.p27
- Zimbra <8.8.15.p34

(Refer to the [patch notes](https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories) for more details.)

**Remediation:**

In order to fix the vulnerability apply the latest patch (9.0.0.p27 and 8.8.15.p34 respectively) - or install `pax` and restart the server.

**Usage:**

You can either use flags or manipulate the default configuration in the script manually (config block at the top).
Use `-h` for help.
```bash
$ python cve-2022-41352.py -h

$ vi cve-2022-41352.py
# Change the config items.

$ python cve-2022-41352.py manual
# This will create an attachment that you can then send to the target server.
# The recipient does not necessarily have to exist - if the email with the attachment is parsed by the server the arbitrary file write in cpio will be triggered.
```

**Example:**

![example](https://user-images.githubusercontent.com/63863112/201727401-76a05e0c-d55d-4752-966f-49f2301113f1.png)
(The above screenshot shows a wrong output for the email body but that has been fixed.)

**Demo:**

https://user-images.githubusercontent.com/63863112/201446602-20d9adbb-d138-4d6b-bca7-5bec80d75972.mp4
File Snapshot

 [4.0K]  /data/pocs/50a87ee60ae77878f9364f196ecef23d46aae8ef
├── [8.8K]  cve-2022-41352.py
└── [1.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →