Vulnerabilities > CVE-2013-0232 - Unspecified vulnerability in Zoneminder

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
zoneminder
nessus
exploit available
metasploit
NVD
Published: 2013-03-20
Updated: 2013-08-29

Summary

includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.

Vulnerable Configurations

Part Description Count
Application
Zoneminder
6

Exploit-Db

descriptionZoneMinder Video Server packageControl Command Execution. CVE-2013-0232,CVE-2013-0332. Remote exploit for unix platform
fileexploits/unix/remote/24310.rb
idEDB-ID:24310
last seen2016-02-02
modified2013-01-24
platformunix
port
published2013-01-24
reportermetasploit
sourcehttps://www.exploit-db.com/download/24310/
titleZoneMinder Video Server packageControl Command Execution
typeremote

Metasploit

descriptionThis module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter.
idMSF:EXPLOIT/UNIX/WEBAPP/ZONEMINDER_PACKAGECONTROL_EXEC
last seen2020-06-01
modified2019-01-10
published2013-01-22
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/zoneminder_packagecontrol_exec.rb
titleZoneMinder Video Server packageControl Command Execution

Nessus

NASL familyDebian Local Security Checks
NASL idDEBIAN_DSA-2640.NASL
descriptionMultiple vulnerabilities were discovered in zoneminder, a Linux video camera security and surveillance solution. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2013-0232 Brendan Coles discovered that zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user. - CVE-2013-0332 zoneminder is prone to a local file inclusion vulnerability. Remote attackers could examine files on the system running zoneminder.
last seen2020-03-17
modified2013-03-15
plugin id65556
published2013-03-15
reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/65556
titleDebian DSA-2640-1 : zoneminder - several issues
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2640. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(65556);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");

  script_cve_id("CVE-2013-0232", "CVE-2013-0332");
  script_bugtraq_id(48949, 57544);
  script_xref(name:"DSA", value:"2640");

  script_name(english:"Debian DSA-2640-1 : zoneminder - several issues");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities were discovered in zoneminder, a Linux video
camera security and surveillance solution. The Common Vulnerabilities
and Exposures project identifies the following problems :

  - CVE-2013-0232
    Brendan Coles discovered that zoneminder is prone to an
    arbitrary command execution vulnerability. Remote
    (authenticated) attackers could execute arbitrary
    commands as the web server user.

  - CVE-2013-0332
    zoneminder is prone to a local file inclusion
    vulnerability. Remote attackers could examine files on
    the system running zoneminder."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700912"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2013-0232"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2013-0332"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/squeeze/zoneminder"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2013/dsa-2640"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the zoneminder packages.

For the stable distribution (squeeze), these problems have been fixed
in version 1.24.2-8+squeeze1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'ZoneMinder Video Server packageControl Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:zoneminder");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/15");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"zoneminder", reference:"1.24.2-8+squeeze1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

References