This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: ZoneMinder suffers from a **Path Traversal** flaw in debug logs & language settings.β¦
π‘οΈ **Root Cause**: Improper validation of user input in the **default language option** and **debug log file** paths. β οΈ **CWE**: Path Traversal (allows writing outside intended directories).
Q3Who is affected? (Versions/Components)
π¦ **Affected**: ZoneMinder versions **before 1.36.13** and **before 1.37.11**. π **Specifics**: Tested on v1.36.4 up to v1.36.12. π **Context**: Open-source video surveillance system.
Q4What can hackers do? (Privileges/Data)
π **Attacker Actions**: Achieve **RCE** (Remote Command Execution). π **Privileges**: Escalate privileges to execute arbitrary code. π **Data**: Write files to the server filesystem via path traversal.
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: **Low/Medium**. Requires interaction with the **Language Settings** or **Debug Log** features. π **Auth**: Likely requires at least basic access to the ZoneMinder web interface to modify these settings.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Exploit**: **YES**. Public PoCs available on GitHub (e.g., OP3R4T0R, Sigm0n). π **Status**: Active exploitation possible using provided Python scripts.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for ZoneMinder instances. π§ͺ **Test**: Attempt to manipulate the `Language` parameter or debug log paths with traversal sequences (`../`).β¦
β **Fixed**: **YES**. Patched in **ZoneMinder 1.36.13** and **1.37.11**. π **Commit**: See GitHub commit `9fee64b` for details. π **Action**: Upgrade immediately.
Q9What if no patch? (Workaround)
π§ **Workaround**: If unpatched, **disable debug logging** and **restrict language selection** options. π **Mitigation**: Apply WAF rules to block path traversal payloads in language/log parameters.β¦
π¨ **Urgency**: **CRITICAL**. RCE + Path Traversal = High Impact. π **Timeline**: Published April 2022, but PoCs are public. β‘ **Priority**: Patch immediately if running vulnerable versions. Don't wait!