Skip to content

Unauthenticated RCE in snapshots

Critical
connortechnology published GHSA-72rg-h4vf-29gr Feb 24, 2023

Package

zoneminder (ZoneMinder)

Affected versions

< 1.36.33, < 1.37.33

Patched versions

1.36.33, 1.37.33

Description

Impact

There's no permissions check on https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L25 and https://github.com/ZoneMinder/zoneminder/blob/master/web/includes/actions/snapshot.php#L36 is expecting an id to fetch an existing monitor but you can pass an object to create a new one instead. TriggerOn ends up calling shell_exec here

zoneminder/web/includes/Monitor.php

Lines 782 to 783 in 371f1ad

$cmd = getZmuCommand($cmd.' -m '.$this->{'Id'});
$output = shell_exec($cmd);
using the supplied Id

Patches

Fixed in 609b22a and 6ffd2bd aa495eda6be0f4d027283c6d5392e0c0dc07fb5d6.

We add validation to Monitor ID and require authentication before processing actions. In addition we validate Monitor ID before calling shell commands.

Workarounds

Apply patches manually.

Credit

UnblvR

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CVE ID

CVE-2023-26035

Weaknesses

No CWEs