Weird Zimbra Vulnerability

Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit reliably.

In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details:

  • While the exploitation attempts we have observed were indiscriminate in targeting, we haven’t seen a large volume of exploitation attempts
  • Based on what we have researched and observed, exploitation of this vulnerability is very easy, but we do not have any information about how reliable the exploitation is
  • Exploitation has remained about the same since we first spotted it on Sept. 28th
  • There is a PoC available, and the exploit attempts appear opportunistic
  • Exploitation is geographically diverse and appears indiscriminate
  • The fact that the attacker is using the same server to send the exploit emails and host second-stage payloads indicates the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and payload servers to be different entities in a more mature operation.
  • Defenders protecting Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses.

Tags: , ,

Posted on October 3, 2024 at 7:04 AM11 Comments

Comments

SocraticGadfly October 3, 2024 11:07 AM

Very interesting. And personal.

The internet company for the email accounts for my two newspapers is on Zimbra. I am going to pass this on.

Clive Robinson October 3, 2024 11:50 AM

@ Bruce,

You say,

“It’s critical, but difficult to exploit.”

And in the 2nd point in the quote from the researcher,

“exploitation of this vulnerability is very easy,”

Which would appear to be at odds with each other.

bud October 3, 2024 2:12 PM

In the patched version, execvp is used, and user input is passed as an array, which prevents direct command injection. Additionally, we noticed the introduction of an is_safe_input function that sanitizes the input before it’s passed to execvp. We examined this function to identify any special characters that might lead to command injection.

That’s one hell of a bad-design shibboleth, and that’s in the supposedly “fixed” version.

Any time one “enumerates badness”, one is liable to miss something. But even doing the opposite—enumerating acceptable characters—is generally a bad idea. In this case, the “correct” (and still bad) thing would be to re-encode from “arbitrary octets” to “shell-encoded data”; certain octet values, notably 0, would be non-encodable and would either have to be rejected, or have some beyond-shell encoding defined for them. (The decompilation shows that Zimbra is working with null-terminated C strings, using the C string functions to do so, and using raw pointer math on the strings; so null bytes won’t matter, but these are all bad ideas themselves.)

Really, any time user-provided data is being passed to a shell, it should be done via environment variables (which allow all non-zero octets without further encoding); or something else such as a file, but then an encoding has to be defined for that. The whole idea of involving a shell, though, ought to be questioned.

My not-so-humble opinion is to stop using Zimbra; it needs re-writing, not patching. Also, sand-box your servers as heavily as possible. Mail-receiving code probably doesn’t need the ability to connect to non-local addresses, for example—for things like forwarding and reputation-list checking, a differently-restricted process could be made accessible on a local socket. This applies even to software written in memory-safe languages; after all, this bug was nothing relating to memory-safety (and finding it involved little more than searching for some functions we knew to be dangerous 30 years ago).

Clive Robinson October 4, 2024 6:24 AM

My gut feeling from how this is being reported, is that the person behind this attack has a fair degree of familiarity with some asspects of the server side code, but this is their first step into active exploitation.

Thus do not be surprised if they get identified/caught, it turns out they were once developing the code or an employee or similar with access to the companies internal systems.

I’ll be honest and say that with so many commercial organisations taking and using PubDomain or FOSS code in violation of licences or not paying back into the community we have not seen more of this sort of attack.

Blue October 4, 2024 11:26 PM

@Uaf

Either some details have been omitted or altered, or there is some wider bluetooth vulnerability being exploited as well.

What $300 phone has a bluetooth tx range of 140 meters?

B. D. Johnson October 6, 2024 9:01 AM

I read this headline as “Weird Zebra Vulnerability” and ended up disappointed.

ResearcherZero October 8, 2024 1:38 AM

Got backdoor running in your environment and huge quantities of customer data?

‘https://arstechnica.com/tech-policy/2024/10/reports-china-hacked-verizon-and-att-may-have-accessed-us-wiretap-systems/

cyberespionage

“We are seeing, again and again — especially in this scenario, when we went into the customer’s domain — that people are not aware of their environment.”

‘https://therecord.media/ghostemperor-spotted-first-time-in-two-years

Demodex, a kernel-level rootkit.

“One of the main activities that the threat actor executed once getting a foothold in [the client’s] network was actually to penetrate to other networks, so the business partners of this specific client.”

Bypasses Driver Signature Enforcement and evades EDR
https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/

‘https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/

SparrowDoor
https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

Clive Robinson October 8, 2024 7:22 AM

@ Blue,

Re : Bluetooth devices and range.

You say,

<

blockquote>”What $300 phone has a bluetooth tx range of 140 meters?”

What if I said truthfully

“They all do”

Because it depends on a number of things that most do not consider.

I can go through a “link budget” with the maths behind it to demonstrate but the answer is that given the right “system” setup they all do.

I’ve warned in the past on this blog and other places that your Bluetooth phone can be “sniped” at more than 500m and indicated the equipment you need to do it. It’s a very real security threat that has been exploited in more than “PoC Demonstrations”.

Even BLE carries risks at several times the “effective range” given by those who formulated it.

Because the range they give is actually a “minimum” under expected environmental conditions not a “maximum”.

You want it to nearly always work at thirty feet inside a building which has electrical noise etc with it in your pocket. Go stand on a hill in a park with it up against your ear and you will find way more than 100ft is possible and if the attacker is set up correctly 1000ft of RF range is possible.

Because that is ~30dB and that is well within some system design “fade margins” for the likes of “in your pocket” devices.

Have a look at,

https://www.electronicdesign.com/technologies/communications/article/21796484/understanding-wireless-range-calculations

It gives some examples of radio path information in the same frequency range as Bluetooth.

Blue October 8, 2024 8:17 PM

@Clive Robinson

I figured the journalist would have noticed if he was aiming a Yagi antenna or similar. It was claimed to be done with an unmodified phone.

I don’t think it is impossible under the right conditions (0 humidity, ideal glass), but this was also an office complex with presumably a lot of interference on the same frequency. 140 meters sounded like a bit of a stretch even considering the fade margins.

But now I just found the magic search term “Coded PHY” (previous search term was “Class 1”) and there do appear to be a number of second hand phones with that range for under $300

https://github.com/NordicSemiconductor/Android-BLE-Library/issues/166

Oddly, there’s not much I can find about newer devices with the 5.0 Coded PHY capability. Maybe it has been renamed in newer versions, or maybe the OS writers have been locking this out from the end user?

Clive Robinson October 9, 2024 12:08 PM

@ Blue,

I did not want to get too far doen into the weeds of the specifications but Bluetooth “5” has two tricks to give a quite substantial range increase.

The first is to increase the TX output power by 10times that gives all else being equal just over three times the range.

This is easily possible because Bluetooth and WiFi share the same ISM band thus have the same TX output lineup from either the baseband or modulator onwards.

As some WiFi line ups can actually give a hundred times the power (ie +30dBm) then that could give 30 times the range (and atleast 300m). But honestly you would not want that level of RF Power at the frequency microwave ovens work at upside your head or pacemaker.

Secondly is the secret of 4KBT noise used for “Low probability of Intercept” communications techniques.

Put simply you can get double the range by using a quarter of the data rate “at baseband” in a synchronous system.

If you think about it each time you “halve the bandwidth” you “halve the noise” thus give yourself an increased “Signal to Noise Ratio” (likewise if you change the modulation type see Eb/N0 if you want the gory details[1]).

So yes you can get a surprisingly long range, but the price you pay is reduced “data rate” and increased “latency”.

Which is fine if you are using it as a way to implant malware, but the exfiltration of video and the like would have to be by WiFi and other high bandwidth networking.

[1] There is a system called LoRa that works in other ISM bands that uses both modulation rate and modulation type changes to increase range very significantly that you can buy kits for for just a few tens of dollars, and it’s become something of a growing hobby via “MeshTastic”. Some people think it’s a “prepper tool” others think it’s a way to “be out of sight of the man” and similar so expect “scary stories” from the usual authoritarian suspects. The simple fact though is just like Bluetooth LE it can be set up as a peer to peer mesh communications system without a backbone thus has a quite high degree of fault tolerance in non normal circumstances but is really not much more than the Ham APRS or old style SMS in terms of data capability. But it does have AES data encryption capabilities.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.