Zimbra Collaboration Suite PostJournal Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15. This vulnerability arises from improper sanitization of the RCPT TO parameter, which can be exploited through SMTP injection. Unauthenticated attackers can inject shell commands using shell expansion syntax, leading to arbitrary command execution under the Zimbra service context.

Impact

Exploitation of this vulnerability allows for full remote code execution on the server, with the potential for a complete server compromise. It also exposes email data, could lead to privilege escalation depending on system configuration, and allows for lateral movement within the network.

Reproduction

The vulnerability can be reproduced by sending an email through SMTP with a crafted RCPT TO parameter that includes injected shell commands. This can be done using a standard SMTP client or by scripting the process with a language like PHP. The injected commands are executed on the server, and if a reverse shell payload is used, a shell can be obtained on the attacker's machine.

Remediation

Until a patch is applied, it is recommended to block external SMTP access to the PostJournal component, apply strict sanitization rules for the RCPT TO field, monitor for suspicious SMTP activity, and restrict the privileges of the Zimbra service user.