0x00 Preface
---
This article documents the details of building a Zimbra vulnerability debugging environment from scratch.
0x01 Introduction
---
This article will cover the following:
- Enabling debug mode on Zimbra server
- Remote debugging using IDEA locally
- Common knowledge
0x02 Enabling Debug Mode on Zimbra Server
---
Reference materials:
https://github.com/Zimbra-Community/zimbra-tools/blob/master/java-debug-zimbra-intellij-ide.md
Detailed steps are as follows:
1. Stop Zimbra service
su zimbra |
2. Enable debug mode
su |
First backup zmmailboxdmgr here, then replace zmmailboxdmgr with zmmailboxdmgr.unrestricted
3. Add debug information
su zimbra |
Note:
You can also directly modify the mailboxd_java_options attribute value in /opt/zimbra/conf/localconfig.xml
4. Disable firewall
sudo ufw disable |
5. Restart service
zmcontrol start |
0x03 Local remote debugging using IDEA
---
1. Download jar files
When performing remote debugging locally using IDEA, the local and remote code must be consistent, meaning we need to obtain the zimbra-related jar files
Zimbra file locations:
- /opt/zimbra/common/jetty_home/lib/
- /opt/zimbra/common/jetty_home/lib/apache-jsp/
2. Batch import jar files
Create a new Java project, select File->Project Structure... in sequence, under Libraries choose New Project Library->Java, set it to c:\zimbrajar\
3. Add breakpoints
Open .class files under External Libraries->zimbrajar, add breakpoints at appropriate locations
4. Set remote debugging parameters
Select Add Configuration... from the top menu bar, choose Remote JVM Debug in the pop-up page, fill in the remote debugging parameters, parameter example:
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000 |
Select JDK version 5-8 for the JDK used
5. Enable Debug mode
Return to the IDEA main interface, select the configuration file just created, and click the Debug icon (shortcut Shift+F9)
If remote debugging executes successfully, the breakpoint icon will change, adding a checkmark
At this point, the Console page displays the following:
Connected to the target VM, address: ':', transport: 'socket' |
0x04 Common Knowledge
---
Zimbra uses the Jetty framework as its web container
When users access a JSP file, the server first parses the JSP file, which the JVM does not recognize, into a Java file, saved at the path: /opt/zimbra/jetty_base/work/zimbra/jsp/org/apache/jsp/
After each JSP file is successfully accessed, a JspServletWrapper instance is registered. We can view all registered JspServletWrapper instances by examining the request variable through the debugger, or enumerate them in the form of JSP files via reflection
JSP file code example:
<%@ page import="java.lang.reflect.Field" %> |
The reflection logic originates from debugging and tracing results; the implementation logic is not unique. Enumerating JspServletWrapper instances utilizes ConcurrentHashMap enumeration.
0x05 Summary
---
After setting up the Zimbra vulnerability debugging environment, we can proceed to study and research the vulnerabilities and the Jetty framework.