CVE-2024-45519 unauthenticated OS commoand Injection in Zimbra prior to 8.8.15***.
what is Journalling?
Journalling is a process which is used for email compliance or archiving purposes.
Insecure handling of email data results in unauthenticated command execution in context of zimbra user.
The vulnerability occures in certain condition if journalling is configured which is not a default configuration,
as its obvious with the journalling process mostl likely its configured by orginizations.
Process:
While the rules are set for journalling emails, The income emails are processed by MTA (in zimbra case its Postfix)
when it detects that an email matches the journal rules, then it sends a copy of the email to the PostJournal service
and then the PostJournal captures the email data including header,body.............
A complete deep dive (zimbra.pdf) to undrestand the vulnerable code and bypasses of filters and how we can abuse it to acheive Command Injection
A python script (CVE-2024-45519.py) which trigger the vulnerability and execute user supplied command in context of the zimbra user can also execute command on single and multiple targets(IP list) with multi-threading capability.Shodan Dork: http.favicon.hash:1624375939
20k Ips are included here (ips.txt)
in time of writting 66k results in shodan.