ZEN Load Balancer v2.0 and v3.0-rc1 multiple vulnerabilities

ZEN Load Balancer v2.0 and v3.0-rc1 allows authenticated remote attackers to execute arbitrary commands as the 'root' user.

Software

Software Link: http://www.zenloadbalancer.com/

Vulnerable Versions: v2.0 and v3.0-rc1

Vendor Notification:

# 2012-09-14 # submitted bug report - id# 731546

# 2012-09-21 # no reply - advisory released

# 0x00 # Arbitrary Command Execution # Authenticated

The 'content2-2.cgi' file executes arbitrary user-supplied commands in the 'filelog' parameter.

The following proof of concept is available:

The 'content2-2.cgi' file executes arbitrary user-supplied commands in the 'nlines' parameter.

The following proof of concept is available:

The 'content3-2.cgi' file executes arbitrary user-supplied commands in the 'if' parameter. The following proof of concept is available:

An exploit is available here: https://github.com/rapid7/metasploit-framework/pull/817

# 0x01 # Arbitrary File Upload # Authenticated

The 'upload.cgi' file allows uploading arbitrary files.

The following proof of concept is available:

# 0x02 # Information Disclosure # Unauthenticated

The 'backup' and 'config' directories are world readable by default.

The 'global.conf' file discloses full file system paths, internal network IP addresses and the software version.

The 'backup' directory may contain backups of the web server configuration.

The following proof of concept is available:

Reference

# OWASP: Information Leakage

# OWASP: Code Injection

Appendix

[TXT] ZEN Load Balancer v2.0 and v3.0-rc1 multiple vulnerabilities