Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-17104

Some shell metachars not escaped in action's remote command

XMLWordPrintable

      See also similar issue with quoting when call alerts scripts: ZBX-4529

       

      Steps to reproduce:

      1. Setup zabbix from official repo
      2. Write external script to handle zabbix events, place it on zabbix server
      3. Create action in zabbix UI with one of Operations Steps "remote command on zabbix server" (see attached screenshot). Pass some macros to this remote command, for example, {ITEM.VALUE2}. You may either quote macroses/args with single or double quote.
      4. Make this action run several times with values of {ITEM.VALUE2} either with one single quote, with one double quote character.
      5. Lookup for action success or failure with different values of this particular macro (in Reports->Action log).

      Result:

      Sometimes action is failed (when {ITEM.VALUE2} contain single quote if arg is single quoted in remote command, and when it contain double quote if arg is double quoted). See attached screenshot (where value single quoted and result of httptest contains single quote in output). Result is error message from "sh".

      Expected:
      It is expected that either single or double quote characters will be escaped in macro values when it is passed to remote command, so no shell misquoting problem arises.

       

      Note that macro values not always under control of zabbix server administrator and now (in 4.4.3) external attacker may manipulate acquired data to inject malicious shell code in remote command and execute it in context of zabbix server user.

        1. Screenshot 2019-12-19 at 22.03.24.png
          260 kB
          Evgenii Terechkov
        2. Screenshot 2019-12-19 at 22.11.30.png
          124 kB
          Evgenii Terechkov

            zabbix.dev Zabbix Development Team
            evg-krsk Evgenii Terechkov
            Team C
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: