ZABBIX BUGS AND ISSUES

It's possible to override LDAP configuration parameters via the API

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: None
  • Component/s: None
  • Labels:
  • Zabbix ID:
    RTF

Description

The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

The authentication request looks something like this:

{
    "jsonrpc": "2.0",
    "method": "user.login",
    "params": {
        "user": "Admin",
        "password": "zabbix",
        "cnf": {
            "host": "",
            "port": "",
            "base_dn": "",
            "bind_dn": "",
            "bind_password": "",
            "search_attribute": ""
        }
    },
    "id": 17,
    "auth": "161c074862ae52cc87e16e3584f2ac42"
}

This seems to affect all versions starting from 1.8.1.
  1. ldap_1-8-2.diff
    2013 Jan 10 14:32
    2 kB
    Pavels Jelisejevs
  2. ldap_2-0-1.diff
    2013 Jan 10 14:32
    2 kB
    Pavels Jelisejevs
  3. ldap_2-1-0.diff
    2013 Jan 04 12:03
    5 kB
    Pavels Jelisejevs

Activity

Hide
Oleksiy Zagorskyi added a comment -

Yeah, I reproduced yesterday this security hole on 2.0.4

Show
Oleksiy Zagorskyi added a comment - Yeah, I reproduced yesterday this security hole on 2.0.4
Hide
richlv added a comment - - edited

ouch. does this work only if ldap is selected, or also if internal auth is selected ?

Pavels Jelisejevs Only if LDAP is selected. In 1.8 it would have worked for all methods if not for some strange hack.

<richlv> hmm... so (in 1.8) with http we could auth with one user, but then pass ldap structure that would eventually auth us as admin user ?
any clues why something like that was in the code at all ?

Pavels Jelisejevs No, there is a hack in the code to prevent it.

Show
richlv added a comment - - edited ouch. does this work only if ldap is selected, or also if internal auth is selected ? Pavels Jelisejevs Only if LDAP is selected. In 1.8 it would have worked for all methods if not for some strange hack. <richlv> hmm... so (in 1.8) with http we could auth with one user, but then pass ldap structure that would eventually auth us as admin user ? any clues why something like that was in the code at all ? Pavels Jelisejevs No, there is a hack in the code to prevent it.
Hide
Pavels Jelisejevs added a comment -

RESOLVED

trunk - svn://svn.zabbix.com/branches/dev/DEV-524
2.0 - svn://svn.zabbix.com/branches/dev/DEV-524-20
1.8 - svn://svn.zabbix.com/branches/dev/DEV-524-18

Show
Pavels Jelisejevs added a comment - RESOLVED trunk - svn://svn.zabbix.com/branches/dev/DEV-524 2.0 - svn://svn.zabbix.com/branches/dev/DEV-524-20 1.8 - svn://svn.zabbix.com/branches/dev/DEV-524-18
Hide
Toms added a comment - - edited

(1) minor naming issues for DEV-524:

  • Comment for CLdapAuthValidator validate() method: "The value hash must have the following attributes". $value variable is not a hash here.
  • authenticate.php line 104 "$login = $ldapValidator->validate(array(" i suggest $result variable instead of $login, as here we don't log in.

Pavels Jelisejevs RESOLVED in r32423.

Toms CLOSED

Show
Toms added a comment - - edited (1) minor naming issues for DEV-524:
  • Comment for CLdapAuthValidator validate() method: "The value hash must have the following attributes". $value variable is not a hash here.
  • authenticate.php line 104 "$login = $ldapValidator->validate(array(" i suggest $result variable instead of $login, as here we don't log in.
Pavels Jelisejevs RESOLVED in r32423. Toms CLOSED
Hide
Toms added a comment -

TESTED

Show
Toms added a comment - TESTED
Hide
Pavels Jelisejevs added a comment -

Fixed in 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.

Show
Pavels Jelisejevs added a comment - Fixed in 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.
Hide
Pavels Jelisejevs added a comment -

The provided patches are meant for Zabbix versions 1.8.2, 2.0.1, 2.1.0 and newer. To some versions they will be applied with offsets.

Show
Pavels Jelisejevs added a comment - The provided patches are meant for Zabbix versions 1.8.2, 2.0.1, 2.1.0 and newer. To some versions they will be applied with offsets.
Hide
richlv added a comment - - edited

Please use CVE-2013-1364 to refer to this issue.

Show
richlv added a comment - - edited Please use CVE-2013-1364 to refer to this issue.
Hide
richlv added a comment -
Show
richlv added a comment - gentoo issue : https://bugs.gentoo.org/show_bug.cgi?id=452878
Hide
Volker Fröhlich added a comment -
Show
Volker Fröhlich added a comment - EPEL/Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=901875
Hide
Pavels Jelisejevs added a comment -

CLOSED.

Show
Pavels Jelisejevs added a comment - CLOSED.

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: