Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18362

Windows MSI for zabbix agent handles PSK user input insecurely

XMLWordPrintable

    • Sprint 68 (Sep 2020), Sprint 69 (Oct 2020), Sprint 70 (Nov 2020), Sprint 71 (Dec 2020), Sprint 72 (Jan 2021), Sprint 73 (Feb 2021)
    • 0.5

      Steps to reproduce:

      1. run zabbix_agent-5.0.3-windows-amd64-openssl.msi
      2. Next, accept license, next
      3. Check "Enable PSK", enter some string into the Zabbix Server field
      4. next
      5. enter some string into the field "Pre-shared key identity"
      6. enter "somekey&calc.exe" into the field "Pre-shared key value"
      7. next, next, install

      Result:

      Installation succeeds

      C:\Programs\Zabbix Agent\psk.key is empty

      Calculator is executed

      Expected:

      Installation succeeds

      C:\Programs\Zabbix Agent\psk.key contains "somekey&calc.exe"

      Further information:

      The windows installer log ([Microsoft Docs - Enable Windows Installer Logging|https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/enable-windows-installer-logging)] shows this:

      MSI (s) (6C:CC) [12:50:34:687]: PROPERTY CHANGE: Adding PSKFileDefCreate property. Its value is '"C:\Windows\system32\cmd.exe" /C echo somekey&calc.exe>"C:\Program Files\Zabbix Agent\psk.key"'.
Action ended 12:50:34: PSKFileDefCreate_cmd. Return value 1.
MSI (s) (6C:CC) [12:50:34:687]: Doing action: PSKFileDefCreate
Action 12:50:34: PSKFileDefCreate. 
Action start 12:50:34: PSKFileDefCreate.
PSKFileDefCreate: 
Action ended 12:50:34: PSKFileDefCreate. Return value 1.
MSI (s) (6C:CC) [12:50:34:703]: Doing action: PSKFileUserCreate_cmd
Action 12:50:34: PSKFileUserCreate_cmd. 
Action start 12:50:34: PSKFileUserCreate_cmd.
MSI (s) (6C:CC) [12:50:34:703]: PROPERTY CHANGE: Adding PSKFileUserCreate property. Its value is '"C:\Windows\system32\cmd.exe" /C echo somekey&calc.exe>""'.
Action ended 12:50:34: PSKFileUserCreate_cmd. Return value 1.
MSI (s) (6C:CC) [12:50:34:703]: Skipping action: PSKFileUserCreate (condition is false)
MSI (s) (6C:CC) [12:50:34:703]: Doing action: AgentService_Run
Action 12:50:34: AgentService_Run. 
Action start 12:50:34: AgentService_Run.
AgentService_Run: 
Action ended 12:50:34: AgentService_Run. Return value 1.

        1. zabbix_agent2-5.0.8-x64.msi.7z
          14.12 MB
        2. zabbix_agent2-5.2.4-x64.msi.7z
          14.44 MB
        3. zabbix_agent-5.0.8-x64.msi
          5.89 MB
        4. zabbix_agent-5.2.4-x64.msi
          5.90 MB

            arimdjonoks Artjoms Rimdjonoks
            weinzwang Martin
            Team C
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: