zoneminder: CVE-2013-0232: arbitrary command execution vulnerability

Debian Bug report logs - #698910
zoneminder: CVE-2013-0232: arbitrary command execution vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zoneminder: arbitrary command execution vulnerability

Date: Fri, 25 Jan 2013 07:44:40 +0100

Source: zoneminder
Severity: grave
Tags: security
Justification: user security hole

Hi

The following arbitrary command execution vulnerability was disclosed
for zoneminder:

 http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/

Regards,
Salvatore

Message #14 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 698910@bugs.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Sun, 27 Jan 2013 17:43:13 +0100

Some additional information: In most usual cases where zoneminder is
set up, there should be authentication first. So this limits somehow
the vulnerability.

There is also a forum post on this, but still witout reply:

  http://www.zoneminder.com/forums/viewtopic.php?f=29&t=20771

Regards,
Salvatore

Message #23 received at 698910@bugs.debian.org (full text, mbox, reply):

From: James McCoy <jamessan@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 698910@bugs.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Sun, 10 Feb 2013 10:25:27 -0500

[Message part 1 (text/plain, inline)]

Control: tag -1 patch

On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> Some additional information: In most usual cases where zoneminder is
> set up, there should be authentication first. So this limits somehow
> the vulnerability.

The attached patch should address the issue, but I don't have a setup to
test.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

[cve-2013-0232.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James McCoy <jamessan@debian.org>

Cc: 698910@bugs.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Sun, 10 Feb 2013 22:24:42 +0100

Hi James

Disclaimer: Only did a quick check.

On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> Control: tag -1 patch
> 
> On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > Some additional information: In most usual cases where zoneminder is
> > set up, there should be authentication first. So this limits somehow
> > the vulnerability.
> 
> The attached patch should address the issue, but I don't have a setup to
> test.

I rebuilded the package with your patch and tested it shortly in a VM
installing zoneminder. It now does not seem possible anymore to inject
a command to be executed with webserver user rights.

Thanks for working on this James.

Regards,
Salvatore

Message #35 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: James McCoy <jamessan@debian.org>, 698910@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Mon, 11 Feb 2013 23:03:32 +0100

[Message part 1 (text/plain, inline)]

Hi

On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > Some additional information: In most usual cases where zoneminder is
> > set up, there should be authentication first. So this limits somehow
> > the vulnerability.
> 
> The attached patch should address the issue, but I don't have a setup to
> test.

The patches look they address the issue mentioned. What I've done:

 - Build both for Squeeze and unstable (debdiffs attached)

- Installed zoneminder in a VM, confirmed that for both stable and
   unstable version zoneminder is vulnerable.

- Installed the patched packages to verifiy the vulnerability.

NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
is going the same by James:

> +--- a/web/includes/functions.php
> ++++ b/web/includes/functions.php
> +@@ -905,7 +905,7 @@
> + 
> + function packageControl( $command )
> + {
> +-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
> ++    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
> +     $string .= " 2>/dev/null >&- <&- >/dev/null";
> +     exec( $string );
> + }
> +@@ -2145,7 +2145,8 @@
> +     else
> +     {
> +         // Can't connect so use script
> +-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
> ++        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
> ++        $command .= ' --unit-code '.escapeshellarg( $key );
> +         //$command .= " 2>/dev/null >&- <&- >/dev/null";
> +         $x10Response = exec( $command );
> +     }

Security Team, how to proceed? Can/will a DSA be released for it?

Regards,
Salvatore

[zoneminder_1.24.2-8+squeeze1.debdiff (text/plain, attachment)]

[zoneminder_1.25.0-3.1.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #40 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: James McCoy <jamessan@debian.org>, 698910@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Mon, 11 Feb 2013 23:41:13 +0100

On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Some additional information: In most usual cases where zoneminder is
> > > set up, there should be authentication first. So this limits somehow
> > > the vulnerability.
> > 
> > The attached patch should address the issue, but I don't have a setup to
> > test.
> 
> The patches look they address the issue mentioned. What I've done:
> 
>  - Build both for Squeeze and unstable (debdiffs attached)
> 
> - Installed zoneminder in a VM, confirmed that for both stable and
>    unstable version zoneminder is vulnerable.
> 
> - Installed the patched packages to verifiy the vulnerability.
> 
> NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> is going the same by James:
> 
> Security Team, how to proceed? Can/will a DSA be released for it?

We should fix this in a DSA. 

Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
package?

Cheers,
        Moritz

Message #45 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Peter Howard <pjh@northern-ridge.com.au>

To: Salvatore Bonaccorso <carnil@debian.org>, 698910@bugs.debian.org

Cc: James McCoy <jamessan@debian.org>, team@security.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Tue, 12 Feb 2013 09:41:46 +1100

[Message part 1 (text/plain, inline)]

On Mon, 2013-02-11 at 23:03 +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
> > > Some additional information: In most usual cases where zoneminder is
> > > set up, there should be authentication first. So this limits somehow
> > > the vulnerability.
> > 
> > The attached patch should address the issue, but I don't have a setup to
> > test.
> 
> The patches look they address the issue mentioned. What I've done:
> 
>  - Build both for Squeeze and unstable (debdiffs attached)
> 
> - Installed zoneminder in a VM, confirmed that for both stable and
>    unstable version zoneminder is vulnerable.
> 
> - Installed the patched packages to verifiy the vulnerability.
> 
> NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> is going the same by James:
> 
> > +--- a/web/includes/functions.php
> > ++++ b/web/includes/functions.php
> > +@@ -905,7 +905,7 @@
> > + 
> > + function packageControl( $command )
> > + {
> > +-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
> > ++    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
> > +     $string .= " 2>/dev/null >&- <&- >/dev/null";
> > +     exec( $string );
> > + }
> > +@@ -2145,7 +2145,8 @@
> > +     else
> > +     {
> > +         // Can't connect so use script
> > +-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
> > ++        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
> > ++        $command .= ' --unit-code '.escapeshellarg( $key );
> > +         //$command .= " 2>/dev/null >&- <&- >/dev/null";
> > +         $x10Response = exec( $command );
> > +     }
> 
> Security Team, how to proceed? Can/will a DSA be released for it?
> 

Better late than never . . . 

Sorry for leaving this (zoneminder has slipped down my focus list in
recent times) . . . I can apply the patch to the (debian) zoneminder
repo and have an updated package out quickly.  However I've never had
upload rights; I've always gone through an intermediary for the final
upload.  So what's the easiest way forward - I just get it uploaded in
my normal way, I leave it for a security release, or "other"?

Also, I assume I need to get an updated 1.24.2 release too?


> Regards,
> Salvatore

-- 
Peter Howard <pjh@northern-ridge.com.au>

[signature.asc (application/pgp-signature, inline)]

Message #50 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 698910@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, James McCoy <jamessan@debian.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Mon, 11 Feb 2013 15:29:05 -0800

On Mon, Feb 11, 2013 at 11:41:13PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:
...
> > The patches look they address the issue mentioned. What I've done:
> > 
> >  - Build both for Squeeze and unstable (debdiffs attached)
> > 
> > - Installed zoneminder in a VM, confirmed that for both stable and
> >    unstable version zoneminder is vulnerable.
> > 
> > - Installed the patched packages to verifiy the vulnerability.
> > 
> > NOTE: I was not able to test setDeviceStatusX10 part, but the code fix
> > is going the same by James:
> > 
> > Security Team, how to proceed? Can/will a DSA be released for it?
> 
> We should fix this in a DSA. 
> 
> Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
> package?

I should be able to dedicate some time to testing on squeeze and wheezy and
hopefully upload tomorrow, although I don't have a setup where I can test the
setDeviceStatusX10 part either.

Peter, if you have some time to get the VCS repository ready and do some
testing, I'd be more confident in being able to upload.

Thanks everyone for the looking into this issue, and especially the patch.

live well,
  vagrant

Message #55 received at 698910-close@bugs.debian.org (full text, mbox, reply):

From: Peter Howard <pjh@northern-ridge.com.au>

To: 698910-close@bugs.debian.org

Subject: Bug#698910: fixed in zoneminder 1.25.0-4

Date: Tue, 12 Feb 2013 20:48:51 +0000

Source: zoneminder
Source-Version: 1.25.0-4

We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Howard <pjh@northern-ridge.com.au> (supplier of updated zoneminder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 12 Jun 2013 12:02:10 +1000
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.25.0-4
Distribution: unstable
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Peter Howard <pjh@northern-ridge.com.au>
Description: 
 zoneminder - Linux video camera security and surveillance solution
Closes: 698910
Changes: 
 zoneminder (1.25.0-4) unstable; urgency=high
 .
   * Add CVE-2013-0232 patch
     [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
     Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
     Thanks also to Salvatore Bonaccorso <carnil@debian.org>
Checksums-Sha1: 
 24d52e754f16893c5e77ea0017da324881541344 2220 zoneminder_1.25.0-4.dsc
 b4fc7d566a9858b2b99fc8ae634848e4e84e073b 13809 zoneminder_1.25.0-4.debian.tar.gz
 6cdf453c884f85a9fe6ddcbbf250884c8afd1748 1906622 zoneminder_1.25.0-4_i386.deb
Checksums-Sha256: 
 a30c94dd96c0ac3c1b9127263fa81f6d0e96ef7b048b6cbb0b923532c78cd59b 2220 zoneminder_1.25.0-4.dsc
 03a655a9a3af5dbec2612a99041ab16639556c660ecddad526def49ef1b1cc0d 13809 zoneminder_1.25.0-4.debian.tar.gz
 dbd70731bfe632b5e8fc210f5608c47b32c25bbd90746a838e34387dcda41c25 1906622 zoneminder_1.25.0-4_i386.deb
Files: 
 f7c61ec1053b5a8984fbe268c6e48561 2220 net optional zoneminder_1.25.0-4.dsc
 8bdab9d4255711d0bd4ceafec9779dd0 13809 net optional zoneminder_1.25.0-4.debian.tar.gz
 9bbc8a61a11fc4665e9d917de3518068 1906622 net optional zoneminder_1.25.0-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRGp2rAAoJELeLgtSBS5G2kLgQAIJq88uregRlbv/10WAAAtHj
Z9YqZiBXWffvP1ed1J9kD3DojvboQ6ewyDbfyFRS0UqMCbJvy70Qbqqj7U9fZANW
hGn60c6XWZyNDxGW8gGQwWez3EcU3s6LrJqIbdFnKNHz1ljCabXU7tXIcWB6k6wn
igz8qUdC0ZYGMgOxOyCXZ/qMv+lj+wFy7ee3JwE7dZfzsmh45Je3+rl8RCPyeZkh
SZB1DyIAq4HSn1JIkauSBJXHn0Jhzafem71iVJdA0F7SaN1VzQRY5POZ8xtM3V+x
CVJIk/n1p/Gg/8OpgWOF9/JgcmL8t1I69b6xPl5k0XtufIVtR9j2zVzK7oOnXMhU
xrNxdPGqobOBUM/qnVJ6+tsc6ydp0t8iZOpVESxKW3kIFPFDRldTLz/7+1oBSLpi
/A1s8dTdw451KoVH33c32j5lgZwcYWQD0xN1KZYRR8B45vTuIsrpb4c3KjSH0go+
WUdoBHDGa7JVPxky7Y28+wH044ORleqrOy9kucvtBudRF00BdGpl7UUvemmoTGCi
vrxDq1Y649btnRK0azEyGBtkatGgmrWfD+ddmxE2/td1ShIPKMuZyBt2FQjSzdvn
pQMapYguU0jotvniiw4SBgUP47q3L9aNg6lawjt+yTgD3ieroODDWTfFjzzHiB9h
iy0CyGr067FqOOOJkUDG
=TrZb
-----END PGP SIGNATURE-----

Message #60 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>

To: 698910@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Thu, 14 Feb 2013 11:35:31 -0800

On Mon, Feb 11, 2013 at 03:29:05PM -0800, Vagrant Cascadian wrote:
> On Mon, Feb 11, 2013 at 11:41:13PM +0100, Moritz Mühlenhoff wrote:
> > On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote:
> > > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote:
> > > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote:

> > > Security Team, how to proceed? Can/will a DSA be released for it?
> > 
> > We should fix this in a DSA. 
> > 
> > Vagrant, James or Peter, can you do real-world testing of the proposed squeeze
> > package?
> 
> I should be able to dedicate some time to testing on squeeze and wheezy and
> hopefully upload tomorrow, although I don't have a setup where I can test the
> setDeviceStatusX10 part either.

Should already be fixed in sid, and soon hit wheezy.

I've prepared a security update for squeeze.

I've manually tested the security exploit described at:

  http://itsecuritysolutions.org/2013-01-22-ZoneMinder-Video-Server-arbitrary-command-execution-vulnerability/

Using:

  wget -O - 'http://127.0.0.1/zm/index.php?view=none&action=state&runState=start;nc+-l+-p+1337+-e+/bin/sh%26'

Which allowed a shell accessible via netcat on port 1337 with the version
present in squeeze (1.24.2-8).

With a package built with the patch applied, I was not able to reproduce this
problem. I haven't noticed any side-effects, running on a couple zoneminder 
machines for almost 24 hours...

diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog
--- zoneminder-1.24.2/debian/changelog	2011-01-15 19:40:08.000000000 -0800
+++ zoneminder-1.24.2/debian/changelog	2013-02-13 16:04:34.000000000 -0800
@@ -1,3 +1,12 @@
+zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high
+
+  * Add CVE-2013-0232 patch
+    [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
+    Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
+    Thanks also to Salvatore Bonaccorso <carnil@debian.org>
+
+ -- Vagrant Cascadian <vagrant@debian.org>  Wed, 13 Feb 2013 15:49:34 -0800
+
 zoneminder (1.24.2-8) unstable; urgency=medium
 
   [ Vagrant Cascadian ]
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232
--- zoneminder-1.24.2/debian/patches/cve-2013-0232	1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0232	2013-02-13 15:43:30.000000000 -0800
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+ 
+ function packageControl( $command )
+ {
+-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
++    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+     $string .= " 2>/dev/null >&- <&- >/dev/null";
+     exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+     else
+     {
+         // Can't connect so use script
+-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++        $command .= ' --unit-code '.escapeshellarg( $key );
+         //$command .= " 2>/dev/null >&- <&- >/dev/null";
+         $x10Response = exec( $command );
+     }
diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series
--- zoneminder-1.24.2/debian/patches/series	2011-01-14 12:01:53.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/series	2013-02-13 15:46:26.000000000 -0800
@@ -7,3 +7,4 @@
 suppported-typo
 use_libjs-mootools
 fix_v4l2_cameras_without_crop
+cve-2013-0232


Anything more needed for the security team? Which queue should it be uploaded
to?


live well,
  vagrant

Message #65 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vagrant Cascadian <vagrant@debian.org>, 698910@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Fri, 15 Feb 2013 21:05:08 +0100

Hi

(Hmm, strange I have not recieved this followup)

On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> Which allowed a shell accessible via netcat on port 1337 with the version
> present in squeeze (1.24.2-8).
> 
> With a package built with the patch applied, I was not able to reproduce this
> problem. I haven't noticed any side-effects, running on a couple zoneminder 
> machines for almost 24 hours...

I can confirm this, I did the same on my testing. (but as said I was
not able to test the setDeviceStatusX10 part, but is fixed with same
approach).

Regards,
Salvatore

Message #70 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Vagrant Cascadian <vagrant@debian.org>, 698910@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>, 700912@bugs.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Mon, 25 Feb 2013 12:28:33 +0100

Hi Vagrant and Peter

On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> Anything more needed for the security team? Which queue should it be
> uploaded to?

Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
for the stable-security update.

I think we can proceed afterwards.

Thank you for preparing updated packages!

Regards,
Salvatore

Message #75 received at 698910@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 698910@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org, Peter Howard <pjh@northern-ridge.com.au>, 700912@bugs.debian.org

Subject: Re: Bug#698910: zoneminder: arbitrary command execution vulnerability

Date: Tue, 26 Feb 2013 17:41:52 -0800

On Mon, Feb 25, 2013 at 12:28:33PM +0100, Salvatore Bonaccorso wrote:
> On Thu, Feb 14, 2013 at 11:35:31AM -0800, Vagrant Cascadian wrote:
> > Anything more needed for the security team? Which queue should it be
> > uploaded to?
> 
> Apologies for the delay. Could you also adress #700912 (CVE-2013-0332)
> for the stable-security update.
> 
> I think we can proceed afterwards.

I've prepared an upload in the "squeeze" branch of the hg repository, which
required a little backporting of the patches, but haven't yet tested it... hope
to test tomorrow, or I may not get to it till the following week...

  http://anonscm.debian.org/hg/collab-maint/zoneminder/

or a debdiff:

diff -Nru zoneminder-1.24.2/debian/changelog zoneminder-1.24.2/debian/changelog
--- zoneminder-1.24.2/debian/changelog  2011-01-15 19:40:08.000000000 -0800
+++ zoneminder-1.24.2/debian/changelog  2013-02-26 17:20:05.000000000 -0800
@@ -1,3 +1,15 @@
+zoneminder (1.24.2-8+squeeze1) UNRELEASED; urgency=high
+
+  * Add CVE-2013-0232 patch
+    [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
+    Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
+    Thanks also to Salvatore Bonaccorso <carnil@debian.org>
+  * Add CVE-2013-0332 patch
+    [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
+    Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
+
+ -- Vagrant Cascadian <vagrant@debian.org>  Tue, 26 Feb 2013 17:20:02 -0800
+
 zoneminder (1.24.2-8) unstable; urgency=medium

   [ Vagrant Cascadian ]
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0232 zoneminder-1.24.2/debian/patches/cve-2013-0232
--- zoneminder-1.24.2/debian/patches/cve-2013-0232      1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0232      2013-02-26 16:55:03.000000000 -0800
@@ -0,0 +1,24 @@
+From: James McCoy <jamessan@debian.org>
+Bug-Debian: http://bugs.debian.org/698910
+Subject: shell escape commands with untrusted content
+--- a/web/includes/functions.php
++++ b/web/includes/functions.php
+@@ -905,7 +905,7 @@
+
+ function packageControl( $command )
+ {
+-    $string = ZM_PATH_BIN."/zmpkg.pl $command";
++    $string = ZM_PATH_BIN."/zmpkg.pl ".escapeshellarg( $command );
+     $string .= " 2>/dev/null >&- <&- >/dev/null";
+     exec( $string );
+ }
+@@ -2145,7 +2145,8 @@
+     else
+     {
+         // Can't connect so use script
+-        $command = ZM_PATH_BIN."/zmx10.pl --command $status --unit-code $key";
++        $command = ZM_PATH_BIN.'/zmx10.pl --command '.escapeshellarg( $status );
++        $command .= ' --unit-code '.escapeshellarg( $key );
+         //$command .= " 2>/dev/null >&- <&- >/dev/null";
+         $x10Response = exec( $command );
+     }
diff -Nru zoneminder-1.24.2/debian/patches/cve-2013-0332 zoneminder-1.24.2/debian/patches/cve-2013-0332
--- zoneminder-1.24.2/debian/patches/cve-2013-0332      1969-12-31 16:00:00.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/cve-2013-0332      2013-02-26 17:18:18.000000000 -0800
@@ -0,0 +1,71 @@
+From: Salvatore Bonaccorso <carnil@debian.org>
+Bug-Debian: http://bugs.debian.org/700912
+Subject: CVE-2013-0332: local file inclusion vulnerability
+Bug-Upstream: http://www.zoneminder.com/forums/viewtopic.php?f=1&t=17979
+
+Backported r3483 and r3488 from upstream svn to fix CVE-2013-0332.
+
+Index: zoneminder/web/includes/functions.php
+===================================================================
+--- zoneminder.orig/web/includes/functions.php 2013-02-26 17:07:02.000000000 -0800
++++ zoneminder/web/includes/functions.php      2013-02-26 17:08:10.806977380 -0800
+@@ -2231,13 +2231,21 @@
+     return( rand( 1, 999999 ) );
+ }
+
++function detaintPath( $path )
++{
++    // Remove any absolute paths, or relative ones that want to go up
++    $path = preg_replace( '/\.\.+\/\/*/', '', $path );
++    $path = preg_replace( '/^\/\/*/', '', $path );
++    return( $path );
++}
++
+ function getSkinFile( $file )
+ {
+     global $skinBase;
+     $skinFile = false;
+     foreach ( $skinBase as $skin )
+     {
+-        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
++        $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
+         if ( file_exists( $tempSkinFile ) )
+             $skinFile = $tempSkinFile;
+     }
+@@ -2250,7 +2258,7 @@
+     $skinFile = false;
+     foreach ( $skinBase as $skin )
+     {
+-        $tempSkinFile = 'skins'.'/'.$skin.'/'.$file;
++        $tempSkinFile = detaintPath( 'skins'.'/'.$skin.'/'.$file );
+         if ( file_exists( $tempSkinFile ) )
+             $skinFile = $tempSkinFile;
+     }
+Index: zoneminder/web/index.php
+===================================================================
+--- zoneminder.orig/web/index.php      2013-02-26 16:55:04.000000000 -0800
++++ zoneminder/web/index.php   2013-02-26 17:13:03.376428137 -0800
+@@ -96,10 +96,13 @@
+ require_once( 'includes/functions.php' );
+
+ if ( isset($_REQUEST['view']) )
+-    $view = validHtmlStr($_REQUEST['view']);
++    $view = detaintPath($_REQUEST['view']);
++
++if ( isset($_REQUEST['request']) )
++    $request = detaintPath($_REQUEST['request']);
+
+ if ( isset($_REQUEST['action']) )
+-    $action = validHtmlStr($_REQUEST['action']);
++    $action = detaintPath($_REQUEST['action']);
+
+ require_once( 'includes/actions.php' );
+
+@@ -108,7 +111,6 @@
+
+ if ( isset( $_REQUEST['request'] ) )
+ {
+-    $request = validHtmlStr($_REQUEST['request']);
+     foreach ( getSkinIncludes( 'ajax/'.$request.'.php', true, true ) as $includeFile )
+     {
+         if ( !file_exists( $includeFile ) )
diff -Nru zoneminder-1.24.2/debian/patches/series zoneminder-1.24.2/debian/patches/series
--- zoneminder-1.24.2/debian/patches/series     2011-01-14 12:01:53.000000000 -0800
+++ zoneminder-1.24.2/debian/patches/series     2013-02-26 16:56:45.000000000 -0800
@@ -7,3 +7,5 @@
 suppported-typo
 use_libjs-mootools
 fix_v4l2_cameras_without_crop
+cve-2013-0232
+cve-2013-0332


live well,
  vagrant

Message #80 received at 698910-close@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>

To: 698910-close@bugs.debian.org

Subject: Bug#698910: fixed in zoneminder 1.24.2-8+squeeze1

Date: Sun, 17 Mar 2013 00:47:39 +0000

Source: zoneminder
Source-Version: 1.24.2-8+squeeze1

We believe that the bug you reported is fixed in the latest version of
zoneminder, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 698910@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated zoneminder package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Mar 2013 11:29:20 -0800
Source: zoneminder
Binary: zoneminder
Architecture: source i386
Version: 1.24.2-8+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Peter Howard <pjh@northern-ridge.com.au>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Description: 
 zoneminder - Linux video camera security and surveillance solution
Closes: 698910 700912
Changes: 
 zoneminder (1.24.2-8+squeeze1) stable-security; urgency=high
 .
   * Add CVE-2013-0232 patch
     [SECURITY] CVE-2013-0232: Shell escape commands with untrusted content.
     Thanks to James McCoy <jamessan@debian.org> (Closes: #698910)
     Thanks also to Salvatore Bonaccorso <carnil@debian.org>
   * Add CVE-2013-0332 patch
     [SECURITY] CVE-2013-0332: local file inclusion (Closes: #700912).
     Thanks to Salvatore Bonaccorso <carnil@debian.org> for the patch.
Checksums-Sha1: 
 ae8f0f4b6efe78716884bc1e7c90d7540e953160 2163 zoneminder_1.24.2-8+squeeze1.dsc
 ea854c941b83374a352d7d794a4462e279fea487 965521 zoneminder_1.24.2.orig.tar.gz
 e48447bcbc7dff2fc0298df6bc945c228a2a3f02 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
 52df39684bdf4a824093307f08e4feb0f6089634 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Checksums-Sha256: 
 fcf53e1f74a319e01b5ebc27bac5fbd6206361a1009bb71b838408375bd6a30a 2163 zoneminder_1.24.2-8+squeeze1.dsc
 fd8475138ccee8870534f1210a3d1e3e1990e963dd73146a6d310dc71c463dca 965521 zoneminder_1.24.2.orig.tar.gz
 49dc4eca5d00d895a66d69429624dbf1c6bcd292a24869ea198a1ac49a07113b 16354 zoneminder_1.24.2-8+squeeze1.debian.tar.gz
 076ea52707b213172ddde42420d27dc0de7d5c0d865651700d50d48af589a1f8 1452144 zoneminder_1.24.2-8+squeeze1_i386.deb
Files: 
 5948f712a603d4ea59dff82b3c0cd13d 2163 net optional zoneminder_1.24.2-8+squeeze1.dsc
 550d2f8f08852134028c3b1cf8fa437f 965521 net optional zoneminder_1.24.2.orig.tar.gz
 65fc0a8d14f672dd3c6cf8586abdf086 16354 net optional zoneminder_1.24.2-8+squeeze1.debian.tar.gz
 df954eec140564bac3f36dcb5c8e4fc9 1452144 net optional zoneminder_1.24.2-8+squeeze1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJRNlGIAAoJELeLgtSBS5G2j2UP/20Y4yz7on6jQvEZhh6AS7I0
rzGODYx9YZj/EJcUwlXR9g8dmrRnbFi8tpOOA+0EXUVqeJwOj3wq+ch+7aPYuzgK
/WKT3tp+H/qxcqXcKHD1+vDvDKds2qjRIBQHLev4pWqaqY+s8ocvne63oRqRKb9q
u3zdo3wn7nJoiPbQKvCB0SlQWxV5fGyOJ0YQ0CYOF2qjYViUEge0XUhCWi9IhudL
ukuQR+KSuAS4N2i8Z/+32edCBdOgBL9uYCsMJ5LUSi4A0m8g08O5Jghg6foClLAh
ur3JDAfmamBEHMvTw1+qfw1Ek3xwUjqjKXjlGpxOilvgCfOAVml3KY3JZ3rTE+5g
xA570W2oDEuFO7ZHxxzg5EMCI5gGlyJWDhs6u1gJbk8bbBz7bKCyvqduC+tK5www
XglushHPUGtOPuhFcbG5nHYklJL01S0nIPoFEXxAzjiPBp+URql7+EYMJGVfibHc
wTKFs1ks7TjjDrmQkyc0XJrZWvg3QQgGy5E2cxt8amBfuBEzR9pHTTzK95iO18cc
mKNE1vqc5q/cyjp+5IlIl9Pmjyg1UDrgz1exICbJTIZq/3XrNZCzlGHM367eOXeY
lVEOx7oJkwMZ5L0zQVwgn0bj8ui9A5w6FHiy9t6YEufhi+5BVAqSPJqQ4032tMv4
njXHyQV4scz8PdHjrcTF
=ZGx8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.