Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18362

Windows MSI for zabbix agent handles PSK user input insecurely

    XMLWordPrintable

Details

    • Team C
    • Sprint 68 (Sep 2020), Sprint 69 (Oct 2020), Sprint 70 (Nov 2020), Sprint 71 (Dec 2020), Sprint 72 (Jan 2021), Sprint 73 (Feb 2021)
    • 0.5

    Description

      Steps to reproduce:

      1. run zabbix_agent-5.0.3-windows-amd64-openssl.msi
      2. Next, accept license, next
      3. Check "Enable PSK", enter some string into the Zabbix Server field
      4. next
      5. enter some string into the field "Pre-shared key identity"
      6. enter "somekey&calc.exe" into the field "Pre-shared key value"
      7. next, next, install

      Result:

      Installation succeeds

      C:\Programs\Zabbix Agent\psk.key is empty

      Calculator is executed

      Expected:

      Installation succeeds

      C:\Programs\Zabbix Agent\psk.key contains "somekey&calc.exe"

      Further information:

      The windows installer log ([Microsoft Docs - Enable Windows Installer Logging|https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/enable-windows-installer-logging)] shows this:

      MSI (s) (6C:CC) [12:50:34:687]: PROPERTY CHANGE: Adding PSKFileDefCreate property. Its value is '"C:\Windows\system32\cmd.exe" /C echo somekey&calc.exe>"C:\Program Files\Zabbix Agent\psk.key"'.
      Action ended 12:50:34: PSKFileDefCreate_cmd. Return value 1.
      MSI (s) (6C:CC) [12:50:34:687]: Doing action: PSKFileDefCreate
      Action 12:50:34: PSKFileDefCreate. 
      Action start 12:50:34: PSKFileDefCreate.
      PSKFileDefCreate: 
      Action ended 12:50:34: PSKFileDefCreate. Return value 1.
      MSI (s) (6C:CC) [12:50:34:703]: Doing action: PSKFileUserCreate_cmd
      Action 12:50:34: PSKFileUserCreate_cmd. 
      Action start 12:50:34: PSKFileUserCreate_cmd.
      MSI (s) (6C:CC) [12:50:34:703]: PROPERTY CHANGE: Adding PSKFileUserCreate property. Its value is '"C:\Windows\system32\cmd.exe" /C echo somekey&calc.exe>""'.
      Action ended 12:50:34: PSKFileUserCreate_cmd. Return value 1.
      MSI (s) (6C:CC) [12:50:34:703]: Skipping action: PSKFileUserCreate (condition is false)
      MSI (s) (6C:CC) [12:50:34:703]: Doing action: AgentService_Run
      Action 12:50:34: AgentService_Run. 
      Action start 12:50:34: AgentService_Run.
      AgentService_Run: 
      Action ended 12:50:34: AgentService_Run. Return value 1.
      

      Attachments

        Issue Links

          Activity

            People

              arimdjonoks Artjoms Rimdjonoks
              weinzwang Martin
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: