ZABBIX BUGS AND ISSUES

Bypassing EnableRemoteCommands=0 in Zabbix Client.

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.6.6, 1.9.0 (alpha)
  • Component/s: Agent (G)
  • Labels:
    None
  • Zabbix ID:
    050

Description

Has been found a security vulnerability in Zabbix Client allowing to execute OS commands, even if EnableRemoteCommands is set to "0". This was tested on Zabbbix 1.6.5. The IP address check is not bypassed, so the attacker must come from (or spoof) a valid Zabbix Server. This bug exists only in FreeBSD and Solaris agents.

In ./src/libs/zbxsysinfo/(freebsd|solaris)/net.c, a user defined variable "param" is used to create "command" which is executed.

Exploit :
$> echo "net.tcp.listen[80';id >/tmp/ID ; echo ']"|nc testbox 10050

This will execute "id" on the client and write the result to /tmp/ID.

Activity

Hide
Alexander Vladishev added a comment -

Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7961.

Show
Alexander Vladishev added a comment - Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7961.
Hide
Igor Danoshaites added a comment -

This patch seems to be fine.
Thank you from the user who installed it.

Show
Igor Danoshaites added a comment - This patch seems to be fine. Thank you from the user who installed it.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: