ZAI Shell Unauthenticated Remote Code Execution Vulnerability via P2P Sharing
Vulnerability
A remote code execution vulnerability exists in ZAI Shell versions prior to 9.0.3, specifically within the P2P terminal sharing feature. This feature opens a TCP socket on port 5757 without authentication, allowing remote attackers to connect and send arbitrary system commands. If the host user approves the command, it executes with the user's privileges, bypassing all safety checks.
Impact
Exploitation allows for unauthenticated remote code execution on the host machine.
Reproduction
To reproduce this vulnerability, start a P2P sharing session in ZAI Shell version 9.0.2 or earlier, using the '--no-ai' mode. This will open an unprotected TCP socket on port 5757. An attacker can then connect to this port and send commands, which will be executed on the host system without any safety checks, provided the command is approved by the user.
Remediation
Users are advised to upgrade to ZAI Shell version 9.0.3 or later. Instructions for downloading the latest version are available on the ZAI Shell GitHub Releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.