ZoneMinder Video Server arbitrary command execution vulnerability

ZoneMinder Video Server version 1.24.0 to 1.25.0 allows authenticated remote attackers to execute arbitrary commands as the web server user.

Software

Software Link: http://www.zoneminder.com/

Vulnerable Versions: 1.24.0 - 1.25.0

Vendor Notification:

# 2013-01-22 # contacted vendor

# 2013-01-22 # advisory released

# 0x00 # Arbitrary Command Execution # Authenticated

The 'index.php' file executes arbitrary commands in the 'runState', 'key' and 'command' parameters.

The './includes/actions.php' file passes user supplied data from the 'runState' parameter to the 'packageControl( $command )' function on line 809:

The 'packageControl( $command )' function in './includes/functions.php' calls 'exec()' with the user supplied data at line 910:

The following proof of concept is available:

http://zoneminder.example.com/zm/index.php?view=none&action=state&runState=start;nc+-l+-p+1337+-e+/bin/sh%26

The './includes/actions.php' file passes user supplied data from the 'key' and 'command' parameters to the 'setDeviceStatusX10( $key, $status )' function on line 593:

The 'setDeviceStatusX10( $key, $status )' function in './includes/functions.php' calls 'exec()' with the user supplied data at line 2150:

An exploit is available here: https://github.com/rapid7/metasploit-framework/pull/1354

Reference

# OWASP: Code Injection

Appendix

[TXT] ZoneMinder Video Server v1.25.0 arbitrary command execution vulnerability