ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6097

It's possible to override LDAP configuration parameters via the API

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

      As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

      The authentication request looks something like this:

      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix",
      "cnf":

      { "host": "", "port": "", "base_dn": "", "bind_dn": "", "bind_password": "", "search_attribute": "" }

      },
      "id": 17,
      "auth": "161c074862ae52cc87e16e3584f2ac42"
      }

      This seems to affect all versions starting from 1.8.1.

      1. ldap_1-8-2.diff
        2 kB
        Pavels Jelisejevs
      2. ldap_2-0-1.diff
        2 kB
        Pavels Jelisejevs
      3. ldap_2-1-0.diff
        5 kB
        Pavels Jelisejevs

        Activity

        Hide
        Oleksiy Zagorskyi added a comment -

        Yeah, I reproduced yesterday this security hole on 2.0.4

        Show
        Oleksiy Zagorskyi added a comment - Yeah, I reproduced yesterday this security hole on 2.0.4
        Hide
        richlv added a comment - - edited

        ouch. does this work only if ldap is selected, or also if internal auth is selected ?

        Pavels Jelisejevs Only if LDAP is selected. In 1.8 it would have worked for all methods if not for some strange hack.

        <richlv> hmm... so (in 1.8) with http we could auth with one user, but then pass ldap structure that would eventually auth us as admin user ?
        any clues why something like that was in the code at all ?

        Pavels Jelisejevs No, there is a hack in the code to prevent it.

        Show
        richlv added a comment - - edited ouch. does this work only if ldap is selected, or also if internal auth is selected ? Pavels Jelisejevs Only if LDAP is selected. In 1.8 it would have worked for all methods if not for some strange hack. <richlv> hmm... so (in 1.8) with http we could auth with one user, but then pass ldap structure that would eventually auth us as admin user ? any clues why something like that was in the code at all ? Pavels Jelisejevs No, there is a hack in the code to prevent it.
        Hide
        Pavels Jelisejevs added a comment -

        RESOLVED

        trunk - svn://svn.zabbix.com/branches/dev/DEV-524
        2.0 - svn://svn.zabbix.com/branches/dev/DEV-524-20
        1.8 - svn://svn.zabbix.com/branches/dev/DEV-524-18

        Show
        Pavels Jelisejevs added a comment - RESOLVED trunk - svn://svn.zabbix.com/branches/dev/DEV-524 2.0 - svn://svn.zabbix.com/branches/dev/DEV-524-20 1.8 - svn://svn.zabbix.com/branches/dev/DEV-524-18
        Hide
        Toms added a comment - - edited

        (1) minor naming issues for DEV-524:

        • Comment for CLdapAuthValidator validate() method: "The value hash must have the following attributes". $value variable is not a hash here.
        • authenticate.php line 104 "$login = $ldapValidator->validate(array(" i suggest $result variable instead of $login, as here we don't log in.

        Pavels Jelisejevs RESOLVED in r32423.

        Toms CLOSED

        Show
        Toms added a comment - - edited (1) minor naming issues for DEV-524 : Comment for CLdapAuthValidator validate() method: "The value hash must have the following attributes". $value variable is not a hash here. authenticate.php line 104 "$login = $ldapValidator->validate(array(" i suggest $result variable instead of $login, as here we don't log in. Pavels Jelisejevs RESOLVED in r32423. Toms CLOSED
        Hide
        Toms added a comment -

        TESTED

        Show
        Toms added a comment - TESTED
        Hide
        Pavels Jelisejevs added a comment -

        Fixed in 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.

        Show
        Pavels Jelisejevs added a comment - Fixed in 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.
        Hide
        Pavels Jelisejevs added a comment -

        The provided patches are meant for Zabbix versions 1.8.2, 2.0.1, 2.1.0 and newer. To some versions they will be applied with offsets.

        Show
        Pavels Jelisejevs added a comment - The provided patches are meant for Zabbix versions 1.8.2, 2.0.1, 2.1.0 and newer. To some versions they will be applied with offsets.
        Hide
        richlv added a comment - - edited

        Please use CVE-2013-1364 to refer to this issue.

        Show
        richlv added a comment - - edited Please use CVE-2013-1364 to refer to this issue.
        Hide
        richlv added a comment -
        Show
        richlv added a comment - gentoo issue : https://bugs.gentoo.org/show_bug.cgi?id=452878
        Show
        Volker Fröhlich added a comment - EPEL/Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=901875
        Hide
        Pavels Jelisejevs added a comment -

        CLOSED.

        Show
        Pavels Jelisejevs added a comment - CLOSED.

          People

          • Assignee:
            Pavels Jelisejevs
            Reporter:
            Pavels Jelisejevs
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: