ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-1030

Remote commands execution in Zabbix Server.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.8
    • Component/s: Server (S)
    • Labels:
      None

      Description

      Has been found a security vulnerability in Zabbix Server, allowing remote unauthenticated users to execute OS commands. This was tested on Zabbbix 1.6.5 and Zabbbix 1.6.1 (as available in Ubuntu Jaunty).

      A feature allows the PHP front-end to execute on the server some scripts configured in the database. The front-end asks the database for the details of a script (including the OS command to run) and then send to the server a request including the command. As no restriction is made server-side on the caller of this functionality, it is trivial to execute code on any reachable Zabbix Server.

      When a connection is made to a listening server, the header is checked and the content of the data is compared to several keywords. If data begins with "Command", the node_process_command() function is called. This function checks that the "nodeid" value received in the packet is equal to the "NodeID" value defined in the config file. Then, execute_script() is called and a call to popen() with the user-supplied command is made. As a bonus for the attacker, result of the command is sent back.

        Activity

        Hide
        Alexander Vladishev added a comment -

        Fixed in ver. pre1.8

        Show
        Alexander Vladishev added a comment - Fixed in ver. pre1.8
        Hide
        Romeo Theriault added a comment -

        Hello, I'm wondering if there are any plans to integrate this fix into the 1.6 branch?

        Thank you

        Show
        Romeo Theriault added a comment - Hello, I'm wondering if there are any plans to integrate this fix into the 1.6 branch? Thank you
        Hide
        Alexei Vladishev added a comment -

        Yes, this will be integrated to 1.6 as well.

        Show
        Alexei Vladishev added a comment - Yes, this will be integrated to 1.6 as well.
        Hide
        richlv added a comment -

        changes from the dev branch work ok in 1.6 branch, can be merged (to 1.6 only, already in 1.8 and trunk)

        Show
        richlv added a comment - changes from the dev branch work ok in 1.6 branch, can be merged (to 1.6 only, already in 1.8 and trunk)
        Hide
        Alexander Vladishev added a comment -

        Fixed in version pre1.6.9, revision 9900.

        Show
        Alexander Vladishev added a comment - Fixed in version pre1.6.9, revision 9900.

          People

          • Assignee:
            Alexander Vladishev
            Reporter:
            Igor Danoshaites
          • Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: