Dark ozpy

When Zimbra XXE and SSRF vulnerability has been found and published by tint0 in his blog i actively do the RnD to reproduce it by using Burp Suite and postman. The result is the CVE are working then i do broadcast to my team for the upgrade ASAP because at that time if anyone publishing the exploit it can lead to RCE (remote code execution) which a lot of things can do such as putting backdoor, etc.

Then i create a script for doing automation to scan several vulnerability zimbra (thanks to shodan and google dorks) if it's found then i do fetch some information and a POC after that i send them an email like this.

 

Some of them is replying for appreciation (also guide them to do patch) and a lot of them ignoring it :D, the purpose i doing this is purely not for profit just to make awareness. Until comes where the vulnerability has been published in exploit-db then they are screaming.

Here's a part of my automation script by extending my own python Zimbra SOAP api library namely ozpy.

What I Learn

These are some points of what i learn from this CVE in my Zimbra implementation:

• Considering make a separation between user access end point servers such as Proxy (webmail, imap, pop3) and SMTP (submission, smtps) with mailbox server. by multiserver architecture.
• Just open internet or public access only for necessary server. Mailbox server doesn't required here. DMZ may a good option.
• Monitor for all community forum, mail list for the latest news.