Bug#698910: zoneminder: arbitrary command execution vulnerability

Mon, 11 Feb 2013 14:51:12 -0800 

On Mon, 2013-02-11 at 23:03 +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Some additional information: In most usual cases where zoneminder is
> > > set up, there should be authentication first. So this limits somehow
> > > the vulnerability.
> > 
> > The attached patch should address the issue, but I don't have a setup to
> > test.
> 
> The patches look they address the issue mentioned. What I've done:
> 
>  - Build both for Squeeze and unstable (debdiffs attached)
> 
> - Installed zoneminder in a VM, confirmed that for both stable and
>    unstable version zoneminder is vulnerable.
> 
> - Installed the patched packages to verifiy the vulnerability.
> 
> NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> is going the same by James:
> 
> > +--- a/web/includes/functions.php
> > ++++ b/web/includes/functions.php
> > +@@ -905,7 +905,7 @@
> > + 
> > + function packageControl( $command )
> > + {
> > +-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
> > ++    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
> > +     $string .= " 2>/dev/null >&- <&- >/dev/null";
> > +     exec( $string );
> > + }
> > +@@ -2145,7 +2145,8 @@
> > +     else
> > +     {
> > +         // Can't connect so use script
> > +-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code 
> > $key";
> > ++        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( 
> > $status );
> > ++        $command .= ' --unit-code '.escapeshellarg( $key );
> > +         //$command .= " 2>/dev/null >&- <&- >/dev/null";
> > +         $x10Response = exec( $command );
> > +     }
> 
> Security Team, how to proceed? Can/will a DSA be released for it?
> 

Better late than never . . . 

Sorry for leaving this (zoneminder has slipped down my focus list in
recent times) . . . I can apply the patch to the (debian) zoneminder
repo and have an updated package out quickly.  However I've never had
upload rights; I've always gone through an intermediary for the final
upload.  So what's the easiest way forward - I just get it uploaded in
my normal way, I leave it for a security release, or "other"?

Also, I assume I need to get an updated 1.24.2 release too?


> Regards,
> Salvatore

-- 
Peter Howard <p...@northern-ridge.com.au>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to