Breaking News

Path Traversal flaw in UnRAR utility can allow hacking Zimbra Mail servers

Researchers discovered a new flaw in RARlab’s UnRAR utility, tracked CVE-2022-30333, that can allow to remotely hack Zimbra Webmail servers.

SonarSource researchers have discovered a new vulnerability in RARlab’s UnRAR utility, tracked as CVE-2022-30333, that can be exploited by remote attackers to execute arbitrary code on a system that relies on the binary, like Zimbra webmail servers.

Zimbra is an enterprise-ready email solution used by over 200,000 businesses, government and financial institutions.

“we discovered a 0-day vulnerability in the unrar utility, a 3rd party tool used in Zimbra. The vulnerability ultimately allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.” reads the post published by SonarSource researchers.

“An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive. If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arbitrary commands on the system.”

The CVE-2022-30333 flaw in the unrar binary developed by RarLab is a File Write vulnerability that could be exploited by tricking victims into extracting maliciously crafted RAR archives.

The experts pointed out that In the case of Zimbra, threat actors could exploit this issue to access every email sent and received on a compromised email server. An attacker can fully compromise a server and install a backdoor and use the compromised machine as a pivot to target other systems withing the organization.

“The only requirement for this attack is that unrar is installed on the server, which is expected as it is required for RAR archive virus-scanning and spam-checking.” continues the report.

Below is the timeline for this issue:

DateAction
2022-05-04We report the bug in unrar to RarLab.
2022-05-04We are already in communication with Zimbra about another issue. We give them a heads up about an upcoming security patch from RarLab and send them a Proof-of-Concept exploit to verify that the issue affects Zimbra
2022-05-04RarLab confirms the issue.
2022-05-05RarLab sends us a patch for review. We confirm the patch is effective the same day.
2022-05-06RarLab releases version 6.12 of the binary on their website.
2022-05-07We send a dedicated email to Zimbra regarding this issue and send the Proof-of-Concept exploit again.
2022-05-11We notice a flaw in our Proof-of-Concept and send Zimbra more files to help them verify the issue.
2022-05-11We notify Debian and Ubuntu package maintainers of the security issue.
2022-05-11Zimbra notifies us that they were able to reproduce the vulnerability.
2022-05-25We notify Zimbra of the planned release date for this blog post.

The issue stems from a symbolic link attack, threat actors could create a RAR archive containing a symlink that contains forward and backslashes (e.g., “..\..\..\tmp/shell”) to bypass current checks and extract it outside of the target extraction directory.

The flaw resides in a function that converts backslashes (‘\’) to forward slashes (‘/’) to RAR archives created on Windows to be extracted on Unix systems.

The attacker can exploit this flaw to write arbitrary files anywhere on the target filesystem, including writing a JSP shell into a web directory shell in Zimbra’s web directory.

“An attacker can achieve RCE impact via various means. We mentioned for example, that an attacker could write a JSP shell into a web directory. Luckily, most Zimbra instances have their services distributed across multiple servers and thus this path of exploitation is not possible on most installations. However, we have reported multiple different paths of exploitation that work on distributed installations.” concludes the report. “For this reason we recommend upgrading unrar immediately, even if your web server and mail server are not on the same physical machine.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zimbra)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

11 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

15 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

20 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

23 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

2 days ago

This website uses cookies.