CVE-2013-0232
published 2013-03-20CVE-2013-0232: includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
47.89%
98.7th percentile
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zoneminder | < zoneminder 1.25.0-4 (bookworm) | zoneminder 1.25.0-4 (bookworm) |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | — | — |
| zoneminder | zoneminder | >= 0 < 1.25.0-4 | 1.25.0-4 |
| zoneminder | zoneminder | >= 0 < 1.25.0-4 | 1.25.0-4 |
| zoneminder | zoneminder | >= 0 < 1.25.0-4 | 1.25.0-4 |
| zoneminder | zoneminder | >= 0 < 1.25.0-4 | 1.25.0-4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to index.php containing 'action=state' with shell metacharacters (;, &, |) in the 'runState' parameter, which indicates exploitation of the packageControl command injection. ↗
- →Monitor HTTP POST requests to index.php containing shell metacharacters in the 'key' or 'command' parameters targeting the setDeviceStatusX10 function. ↗
- →Exploitation requires prior authentication; monitor for login attempts with default credentials (admin/admin) to ZoneMinder followed by POST requests to index.php with action=state. ↗
- →Detect ZoneMinder versions 1.24.x and 1.25.0 in HTTP responses as vulnerable targets; response body matching /v1.2(4\.\d+|5\.0)/ indicates a vulnerable instance. ↗
- ·The vulnerability is exploitable only by authenticated users; unauthenticated exploitation is not possible. ↗
- ·The default application path used by the Metasploit module is /zm/; installations at non-default paths will require adjusted detection rules. ↗
- ·Executed commands run under the privileges of the web server user, not root; impact is bounded by web server account permissions. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c4jr-gf6w-2x72: includes/functions
ghsa_unreviewed·2022-05-05
CVE-2013-0232 [HIGH] GHSA-c4jr-gf6w-2x72: includes/functions
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.
OSV
CVE-2013-0232: includes/functions
osv·2013-03-20·CVSS 7.5
CVE-2013-0232 [HIGH] CVE-2013-0232: includes/functions
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.
Debian
CVE-2013-0232: zoneminder - includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier al...
vendor_debian·2013·CVSS 7.5
CVE-2013-0232 [HIGH] CVE-2013-0232: zoneminder - includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier al...
includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) runState parameter in the packageControl function; or (2) key or (3) command parameter in the setDeviceStatusX10 function.
Scope: local
bookworm: resolved (fixed in 1.25.0-4)
bullseye: resolved (fixed in 1.25.0-4)
forky: resolved (fixed in 1.25.0-4)
sid: resolved (fixed in 1.25.0-4)
trixie: resolved (fixed in 1.25.0-4)
No detection rules found.
Exploit-DB
ZoneMinder Video Server - packageControl Command Execution (Metasploit)
exploitdb·2013-01-24
CVE-2013-0332 ZoneMinder Video Server - packageControl Command Execution (Metasploit)
ZoneMinder Video Server - packageControl Command Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ZoneMinder Video Server packageControl Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability in ZoneMinder Video
Server version 1.24.0 to 1.25.0 which could be abused to allow
authenticated users to execute arbitrary commands under the context of the
web server user. The 'packageControl' function in the
'includes/actions.php' file calls 'exec()' with user controlled data
from the '
Metasploit
ZoneMinder Video Server packageControl Command Execution
metasploit
ZoneMinder Video Server packageControl Command Execution
ZoneMinder Video Server packageControl Command Execution
This module exploits a command execution vulnerability in ZoneMinder Video Server version 1.24.0 to 1.25.0 which could be abused to allow authenticated users to execute arbitrary commands under the context of the web server user. The 'packageControl' function in the 'includes/actions.php' file calls 'exec()' with user controlled data from the 'runState' parameter.
Bugzilla
CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine [fedora-all]
bugzilla·2013-01-25·CVSS 7.5
CVE-2013-0232 [HIGH] CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine [fedora-all]
CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi no
Bugzilla
CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine
bugzilla·2013-01-25·CVSS 7.5
CVE-2013-0232 [HIGH] CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine
CVE-2013-0232 zoneminder: Arbitrary code execution due improper input sanitization in the 'setDeviceStatusX10' routine
A security flaw was found in the way ZoneMinder, a camera monitoring and analysis tool, sanitized user provided input in certain circumstances. A remote authenticated user could use this flaw to execute arbitrary code with the privileges of the user running the web server.
References:
[1] http://www.openwall.com/lists/oss-security/2013/01/25/6
[2] http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910
Public PoC:
[4] https://github.com/rapid7/metasploit-framework/pull/1354
Discussion:
This issue affects the versions of the zoneminder package, as shipped wi
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/http://www.debian.org/security/2013/dsa-2640http://www.exploit-db.com/exploits/24310http://www.openwall.com/lists/oss-security/2013/01/28/2http://www.osvdb.org/89529http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698910http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/http://www.debian.org/security/2013/dsa-2640http://www.exploit-db.com/exploits/24310http://www.openwall.com/lists/oss-security/2013/01/28/2http://www.osvdb.org/89529http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771
2013-03-20
Published