CVE-2015-1197

TAR Path Traversal in Zimbra (CVE-2022-41352)

Title source: metasploit

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1197. PoCs published by Alexander Cherepanov, yeak, Ron Bowes, including Metasploit module exploits/linux/http/zimbra_cpio_cve_2022_41352.

AI-analyzed exploit summary This Metasploit module exploits CVE-2022-41352 in Zimbra Collaboration Suite by leveraging a path traversal vulnerability in the cpio utility (CVE-2015-1197). It crafts a malicious .tar file containing a symlink and a JSP payload, which, when processed by the Zimbra server, deploys a backdoor in the public web directory.

Description

cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Alexander Cherepanov, yeak, Ron Bowes · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zimbra_cpio_cve_2022_41352.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2022-41352 in Zimbra Collaboration Suite by leveraging a path traversal vulnerability in the cpio utility (CVE-2015-1197). It crafts a malicious .tar file containing a symlink and a JSP payload, which, when processed by the Zimbra server, deploys a backdoor in the public web directory.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier), Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)

No auth needed

Prerequisites: Access to email a malicious .tar file to a user on the target Zimbra server · Target server must not have 'pax' installed

MITRE ATT&CK