czwartek, 31 stycznia 2019

RCE in ZenLoad Balancer

Last time we had a pleasure to check some RCE(s) in Artica. This time I decided to try ZenLoad Balancer. Below you will find few details...
I started with version zenloadbalancer-distro_3.10.1 but as you can read on SourceForge it becomes Zevenet (latest version to check AFAIK):

(Unfortunately ;)) this time we need to be logged-in as 'admin' user (first I was wondering if this is the same bug described by Rapid7 but looks to be a different one, so good so far ;))

I started from a little 'warm-up' (read as: quick checking for some 'basic' XSS/SQLi bugs):

As you can see (on the screen above), my friend ;] marquee-tag was 'good enough' to let me know that there is something wrong with my ("sh:") syntax... I tried to fix that:

That was fast! New file in /tmp/ directory.

Checking with id command:

Last part to verify:

Looks like this is the end* :)

(* I tried to do some similar 'attack' on the 'latest' version - no luck this time. ;)
So... remember to update your host(s).)

New version (I also tried) is available here

Have fun (and remember to use it onlyfor legal purposes).


1 komentarz: