One of the more interesting Trapper requests made by the Zabbix proxy is the “proxy config” request. Interestingly, a proxy can request it’s own proxy configuration from the Zabbix Server, or any other Zabbix Proxy’s configuration if they know the hostname of that machine. Regardless of this minor information disclosure bug, there’s a more pivotal issue.
While the Zabbix server has hardcoded database tables that it looks at when gathering the configuration data to send to the proxy, there’s no such restriction on what the Zabbix Proxy will apply to it’s databases. Thus, if an attacker is able to man in the middle (MITM) the traffic of the Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration data flows unencrypted by default over the network.
Since the “proxy config” request happens at regular intervals from the Proxy to the Server, ASIG was able to use a MITM attack to intercept the traffic and insert data into the conversation that we wanted, writing a script into the database of a target Zabbix Proxy.
As of yet, this has not been able to be successfully exploited for RCE.
Confirmed Versions: Zabbix 2.4.7 - 2.4.8r1
Remediation Recommendations cannot as of now be provided, the only feasible solution to this issue would be an upstream patch by Zabbix engineers, which would probably include having a hardcoded whitelist of tables that could be modified with the "proxy config" response.