ZoneMinder Video Server arbitrary command execution vulnerability
ZoneMinder Video Server version 1.24.0 to 1.25.0 allows authenticated remote attackers to execute arbitrary commands as the web server user.
Software
Software Link: http://www.zoneminder.com/
Vulnerable Versions: 1.24.0 - 1.25.0
Vendor Notification:
# 2013-01-22 # contacted vendor
# 2013-01-22 # advisory released
# 0x00 # Arbitrary Command Execution # Authenticated
The 'index.php' file executes arbitrary commands in the 'runState', 'key' and 'command' parameters.
The './includes/actions.php' file passes user supplied data from the 'runState' parameter to the 'packageControl( $command )' function on line 809:
The 'packageControl( $command )' function in './includes/functions.php' calls 'exec()' with the user supplied data at line 910:
The following proof of concept is available:
The './includes/actions.php' file passes user supplied data from the 'key' and 'command' parameters to the 'setDeviceStatusX10( $key, $status )' function on line 593:
The 'setDeviceStatusX10( $key, $status )' function in './includes/functions.php' calls 'exec()' with the user supplied data at line 2150:
An exploit is available here: https://github.com/rapid7/metasploit-framework/pull/1354
Reference
Appendix
[TXT] ZoneMinder Video Server v1.25.0 arbitrary command execution vulnerability