exploit the possibilities

Zabbix 2.0.8 SQL Injection

Zabbix 2.0.8 SQL Injection
Posted Oct 4, 2013
Authored by B. Schildendorfer | Site sec-consult.com

Zabbix versions 2.0.8 and below suffer from a remote SQL injection vulnerability.

tags | advisory, remote, sql injection
advisories | CVE-2013-5743
MD5 | 3f596696d335ed3615da39cb66ca1642

Zabbix 2.0.8 SQL Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20131004-0 >
=======================================================================
title: SQL injection vulnerability
product: Zabbix
vulnerable version: <=2.0.8
fixed version: 2.0.9rc1
CVE number: CVE-2013-5743
impact: critical
homepage: http://www.zabbix.com/
found: 2013-09-03
by: Bernhard Schildendorfer
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Zabbix is the ultimate open source availability and performance monitoring
solution. Zabbix offers advanced monitoring, alerting, and visualization
features today which are missing in other monitoring systems, even some of the
best commercial ones."

Source: http://www.zabbix.com/product.php


Business recommendation:
------------------------
By exploiting this SQL injection vulnerability, an authenticated attacker (or
guest user) is able to gain full access to the database. This causes a
privilege escalation to power users as well as a possible compromise of the
database and operating system the database is running on.

Because of the functionalities Zabbix offers, an attacker with admin
privileges could be able (depending on the actual configuration) to execute
arbitrary OS commands on the configured Zabbix hosts. This results in a severe
impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could
also be at risk if the adversary has no user account. Zabbix offers a guest
mode which provides a low privileged default account for users without
password. If this guest mode is enabled, the SQL injection vulnerability can
be exploited unauthenticated.


Vulnerability overview/description:
-----------------------------------
The PHP JSON API provides access to different classes which lack input
validation of some of their parameters. This can be exploited to inject into
SQL query statements. By exploiting this vulnerability, an attacker gains
access to all records stored in the database with the privileges of the Zabbix
database user.


Proof of concept:
-----------------
The affected PHP file api_jsonrpc.php handles JSON requests to the Zabbix API
which get, after passing to class.cjsonrpc.php, dispatched by
class.czbxrpc.php to the actual (vulnerable) API classes located in
/frontends/php/api/classes/*.

The example proof of concept exploit has been removed from this advisory.

A quick search in the source code revealed, that at least the following
methods are also vulnerable with the given parameters. Not all of them were
tested:

- alert.get // parameter: time_from, time_till
- event.get // parameter: object, source, eventid_from, eventid_till
- graphitem.get // parameter: type
- graph.get // parameter: type
- graphprototype.get // parameter: type
- history.get // parameter: time_from, time_till
- trigger.get // parameter: lastChangeSince, lastChangeTill, min_severity
- triggerprototype.get // parameter: min_severity
- usergroup.get // parameter: status

Because no prepared statements are used to query the database, further
injection points may be in place where prior validation fails.


Vulnerable / tested versions:
-----------------------------

Zabbix 2.0.8


Vendor contact timeline:
------------------------
2013-09-10: Contacting vendor through sales@zabbix.com
2013-09-10: Initial vendor response
2013-09-10: Forwarding security advisory to vendor
2013-09-10: Vendor acknowledges that the advisory was received
2013-09-11: Vendor confirmed the issue
2013-10-02: Patch released by vendor
2013-10-04: SEC Consult releases coordinated security advisory.


Solution:
---------
According to the vendor, patches for the following Zabbix versions are
available for download. They were not tested by SEC Consult.
1.8.18rc1: https://support.zabbix.com/secure/attachment/24448/ZBX-7091-1.8.18rc1.patch
1.8.2: https://support.zabbix.com/secure/attachment/24447/ZBX-7091-1.8.2.patch
2.0.8: https://support.zabbix.com/secure/attachment/24449/ZBX-7091-2.0.8.patch
2.0.9rc1: https://support.zabbix.com/secure/attachment/24450/ZBX-7091-2.0.9rc1.patch
2.1.7: https://support.zabbix.com/secure/attachment/24451/ZBX-7091-2.1.7.patch

Additional information is available on the vendor's bug tracking page:
https://support.zabbix.com/browse/ZBX-7091


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Bernhard Schildendorfer / @2013
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close