CVE-2023-26035 PoC — ZoneMinder vulnerable to Missing Authorization

Source

https://github.com/heapbytes/CVE-2023-26035

Associated Vulnerability

Title:ZoneMinder vulnerable to Missing Authorization (CVE-2023-26035)
Description:ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.

Description

POC script for CVE-2023-26035 (zoneminder 1.36.32)

Readme

# POC for CVE-2023-26035

> Works for ZoneMinder (Versions prior to 1.36.33 and 1.37.33)
- Vulnerability : Remote Code Execution (RCE)


# Usage

```bash
└─➜ python3 poc.py -h
usage: poc.py [-h] --target TARGET --cmd CMD
poc.py: error: the following arguments are required: --target, --cmd

```

## Curl 

- Before jumping to rev shell, try this first, if you get hit, the service is vulnerable

![curl](./imgs/curl.png)

## Reverse Shell

![revshell](./imgs/pwn.png)

# References : 

https://nvd.nist.gov/vuln/detail/CVE-2023-26035 <br />
https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/zoneminder_snapshots.rb

## NOTE
> This script is just an alternate version for metasploit-framework script.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!