Zenoss 3.2.1 Multiple Security Vulnerabilities

There are multiple security vulnerabilities in Zenoss version 3.x to 4.1.70-1482 which may allow an attacker to take control of the software.

Software Link: http://www.zenoss.com/

Vendor Notification:

# 2012-03-20 # security@zenoss.com

# 2012-04-12 # vendor reply - patched in 4.1.70-1485

# 2012-07-30 # advisory released

Vulnerable Versions: 3.x to 4.1.70-1482

The following versions have been confirmed vulnerable:

# 3.0.3-903-x64

# 3.2.1-1326-x86_64 # latest stable

# 4.1.70-1482-x86_64 # alpha branch

Vulnerabilities

# Arbitrary Command Execution: [Requires Authorized Session]

The function "show_daemon_xml_configs(self, daemon, REQUEST=None)" at line 540 of "/opt/zenoss/Products/ZenModel/ZenossInfo.py" passes a user supplied value in the "daemon" parameter to a "Popen()" call on lines 591 and 592:

This allows a malicious user with legitimate credentials (for an account with any level of Zenoss privilages) to execute arbitrary commands as the "zenoss" user.

The following proof of concept is available:

An exploit is available here: https://github.com/rapid7/metasploit-framework/pull/651

# Arbitrary Command Execution: [Requires Authorized Session]

The Event Commands functionality allows a malicious user with legitimate credentials and "ZenManager" or "Manager" roles to execute arbitrary commands by creating an Event Command then creating an Event.

The following exploit is available:

# Stored Cross-Site Scripting (XSS): [Requires Authorized Session]

# Open Redirect: [Requires Authorized Session]

# Cross-Site Request Forgery (CSRF): [Requires Authorized Session]

# Directory Traversal: [Requires Authorized Session] [With "zenoss" Filesystem Permissions]

# Informational:

Reference

# OWASP: Command Injection

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Cross-Site Request Forgery (CSRF)

# OWASP: Open Redirect

# OWASP: Path Traversal

# OWASP: Information Leakage

# OWASP: Full Path Disclosure

Appendix

[PoC] zenoss-3.2.1-reverse-shell.py

[TXT] Zenoss 3.2.1 Multiple Security Vulnerabilities