Session fixation in Zoneminder – Up to 1.36.12
|Title||Session fixation in Zoneminder – Up to 1.36.12|
|Affected products||Zoneminder – Up to 1.36.12|
|16/05/2022||Request for CVE ID|
Session fixation exists in ZoneMinder through 1.36.12 as an attacker can
poison a session cookie to the next logged-in user. This occurs because two cookies will be generated when a user successfully logs in; one of these two can be the poisoned one.
Session cookie function.
In this case session fixation occurs because two cookies will be generated when a user successfully logs in; one of these two can be the poisoned one. Analyzing the database, in the “Sessions” table, we can see that both of the cookies created are valid and as you can imagine, they are not tied to each other in any way, being two different session cookies. This causes that if the legitimate user exits, only one session is deleted from database, while the other with the poisoned session still remains logged in.
Proof of Concept
1. As we can see, the contents of the “Sessions” table is empty. (This is not necessary for exploiting the vulnerability)
2. Poison the cookie “ZMSESSID” on the victim browser and do a simple request to the zm server
3. Now if another user logs in the application with that browser, the cookie sent is the poisoned one
4. The server respond with a pair of valid cookie and one of this is the poisoned one!
5. From now on, requests are made automatically with the new cookie and no longer with the poisoned one
7. As you can see, we have now two valid cookie in the “Sessions” table. These cookies are independent of each other and from now we have a poisoned parallel session of the user logged in.