Last time we had a pleasure to check some RCE(s) in Artica. This time I decided to try ZenLoad Balancer. Below you will find few details...
I started with version zenloadbalancer-distro_3.10.1 but as you can read on SourceForge it becomes Zevenet (latest version to check AFAIK):
(Unfortunately ;)) this time we need to be logged-in as 'admin' user (first I was wondering if this is the same bug described by Rapid7 but looks to be a different one, so good so far ;))
I started from a little 'warm-up' (read as: quick checking for some 'basic' XSS/SQLi bugs):
As you can see (on the screen above), my friend ;] marquee-tag was 'good enough' to let me know that there is something wrong with my ("sh:") syntax... I tried to fix that:
That was fast! New file in /tmp/ directory.
Checking with id command:
Last part to verify:
Looks like this is the end* :)
(* I tried to do some similar 'attack' on the 'latest' version - no luck this time. ;)
So... remember to update your host(s).)
New version (I also tried) is available here:
Have fun (and remember to use it onlyfor legal purposes).