ZABBIX BUGS AND ISSUES
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-6097

It's possible to override LDAP configuration parameters via the API

    Details

    • Type: Incident report Incident report
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:

      Description

      The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

      As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

      The authentication request looks something like this:

      {
      "jsonrpc": "2.0",
      "method": "user.login",
      "params": {
      "user": "Admin",
      "password": "zabbix",
      "cnf":

      { "host": "", "port": "", "base_dn": "", "bind_dn": "", "bind_password": "", "search_attribute": "" }

      },
      "id": 17,
      "auth": "161c074862ae52cc87e16e3584f2ac42"
      }

      This seems to affect all versions starting from 1.8.1.

      1. ldap_1-8-2.diff
        2 kB
        Pavels Jelisejevs
      2. ldap_2-0-1.diff
        2 kB
        Pavels Jelisejevs
      3. ldap_2-1-0.diff
        5 kB
        Pavels Jelisejevs

        Activity

        Pavels Jelisejevs (Inactive) created issue -
        Hide
        Oleksiy Zagorskyi added a comment -

        Yeah, I reproduced yesterday this security hole on 2.0.4

        Show
        Oleksiy Zagorskyi added a comment - Yeah, I reproduced yesterday this security hole on 2.0.4
        Oleksiy Zagorskyi made changes -
        Field Original Value New Value
        Description The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

        As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

        The authentication request looks something like this:

        {
            "jsonrpc": "2.0",
            "method": "user.login",
            "params": {
                "user": "Admin",
                "password": "zabbix",
                "cnf": {
                    "host": "",
                    "port": "",
                    "base_dn": "",
                    "bind_dn": "",
                    "bind_password": "",
                    "search_attribute": "uid"
                }
            },
            "id": 17,
            "auth": "161c074862ae52cc87e16e3584f2ac42"
        }

        This seems to affect all versions starting from 1.8.1.
        The user.login method can accept a 'cnf' parameter containing the configuration parameters for LDAP authentication. These parameters will override the configuration in the database. This can be used to authenticate using a completely different LDAP application and is a major security issue.

        As a proof of concept, Oleksiy configured Zabbix to use LDAP, then changed the configuration in the database so that authentication wouldn't work. After that he was able to log in by passing correct parameters when calling user.login.

        The authentication request looks something like this:

        {
            "jsonrpc": "2.0",
            "method": "user.login",
            "params": {
                "user": "Admin",
                "password": "zabbix",
                "cnf": {
                    "host": "",
                    "port": "",
                    "base_dn": "",
                    "bind_dn": "",
                    "bind_password": "",
                    "search_attribute": ""
                }
            },
            "id": 17,
            "auth": "161c074862ae52cc87e16e3584f2ac42"
        }

        This seems to affect all versions starting from 1.8.1.
        Hide
        richlv added a comment - - edited

        ouch. does this work only if ldap is selected, or also if internal auth is selected ?

        Pavels Jelisejevs Only if LDAP is selected. In 1.8 it would have worked for all methods if not for some strange hack.

        <richlv> hmm... so (in 1.8) with http we could auth with one user, but then pass ldap structure that would eventually auth us as admin user ?
        any clues why something like that was in the code at all ?

        Pavels Jelisejevs No, there is a hack in the code to prevent it.

        Show
        richlv added a comment - - edited ouch. does this work only if ldap is selected, or also if internal auth is selected ? Pavels Jelisejevs Only if LDAP is selected. In 1.8 it would have worked for all methods if not for some strange hack. <richlv> hmm... so (in 1.8) with http we could auth with one user, but then pass ldap structure that would eventually auth us as admin user ? any clues why something like that was in the code at all ? Pavels Jelisejevs No, there is a hack in the code to prevent it.
        Pavels Jelisejevs (Inactive) made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        RESOLVED

        trunk - svn://svn.zabbix.com/branches/dev/DEV-524
        2.0 - svn://svn.zabbix.com/branches/dev/DEV-524-20
        1.8 - svn://svn.zabbix.com/branches/dev/DEV-524-18

        Show
        Pavels Jelisejevs (Inactive) added a comment - RESOLVED trunk - svn://svn.zabbix.com/branches/dev/DEV-524 2.0 - svn://svn.zabbix.com/branches/dev/DEV-524-20 1.8 - svn://svn.zabbix.com/branches/dev/DEV-524-18
        Pavels Jelisejevs (Inactive) made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Toms made changes -
        Assignee Pavels Jelisejevs [ jelisejev ] Toms [ tomtom ]
        Hide
        Toms added a comment - - edited

        (1) minor naming issues for DEV-524:

        • Comment for CLdapAuthValidator validate() method: "The value hash must have the following attributes". $value variable is not a hash here.
        • authenticate.php line 104 "$login = $ldapValidator->validate(array(" i suggest $result variable instead of $login, as here we don't log in.

        Pavels Jelisejevs RESOLVED in r32423.

        Toms CLOSED

        Show
        Toms added a comment - - edited (1) minor naming issues for DEV-524 : Comment for CLdapAuthValidator validate() method: "The value hash must have the following attributes". $value variable is not a hash here. authenticate.php line 104 "$login = $ldapValidator->validate(array(" i suggest $result variable instead of $login, as here we don't log in. Pavels Jelisejevs RESOLVED in r32423. Toms CLOSED
        Toms made changes -
        Resolution Fixed [ 1 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Assignee Toms [ tomtom ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Assignee Pavels Jelisejevs [ jelisejev ] Toms [ tomtom ]
        Resolution Fixed [ 1 ]
        Hide
        Toms added a comment -

        TESTED

        Show
        Toms added a comment - TESTED
        Toms made changes -
        Assignee Toms [ tomtom ] Pavels Jelisejevs [ jelisejev ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_1-8-16.diff [ 21221 ]
        Attachment ldap_2-0-5.diff [ 21222 ]
        Attachment ldap_2-1-0.diff [ 21223 ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        Fixed in 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.

        Show
        Pavels Jelisejevs (Inactive) added a comment - Fixed in 2.1.0 r32446, 2.0.5rc1 r32444 and 1.8.16rc1 r32442.
        Pavels Jelisejevs (Inactive) made changes -
        Project ZABBIX-DEV [ 10010 ] ZABBIX BUGS AND ISSUES [ 10000 ]
        Key DEV-524 ZBX-6097
        Workflow jira [ 27515 ] Zabbix workflow [ 27662 ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_1-8-16.diff [ 21221 ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_2-0-5.diff [ 21222 ]
        Pavels Jelisejevs (Inactive) made changes -
        Attachment ldap_1-8-2.diff [ 21278 ]
        Attachment ldap_2-0-1.diff [ 21279 ]
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        The provided patches are meant for Zabbix versions 1.8.2, 2.0.1, 2.1.0 and newer. To some versions they will be applied with offsets.

        Show
        Pavels Jelisejevs (Inactive) added a comment - The provided patches are meant for Zabbix versions 1.8.2, 2.0.1, 2.1.0 and newer. To some versions they will be applied with offsets.
        Hide
        richlv added a comment - - edited

        Please use CVE-2013-1364 to refer to this issue.

        Show
        richlv added a comment - - edited Please use CVE-2013-1364 to refer to this issue.
        Hide
        richlv added a comment -
        Show
        richlv added a comment - gentoo issue : https://bugs.gentoo.org/show_bug.cgi?id=452878
        Show
        Volker Fröhlich added a comment - EPEL/Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=901875
        Alexei Vladishev made changes -
        Zabbix ID NA RTF
        Hide
        Pavels Jelisejevs (Inactive) added a comment -

        CLOSED.

        Show
        Pavels Jelisejevs (Inactive) added a comment - CLOSED.
        Pavels Jelisejevs (Inactive) made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Alexei Vladishev made changes -
        Workflow Zabbix workflow [ 27662 ] Zabbix workflow - new [ 46767 ]
        Alexander Vladishev made changes -
        Workflow Zabbix workflow - new [ 46767 ] Copy of Zabbix workflow - new [ 66919 ]
        Alexander Vladishev made changes -
        Workflow Copy of Zabbix workflow - new [ 66919 ] Zabbix workflow - new [ 82139 ]
        Gatis Rumbens made changes -
        Issue Type Bug [ 1 ] Incident report [ 10110 ]
        Zabbix ID RTF
        Assignee Pavels Jelisejevs [ jelisejev ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open In Progress In Progress
        13d 46m 1 Pavels Jelisejevs (Inactive) 2013 Jan 02 11:28
        In Progress In Progress Resolved Resolved
        5h 43m 1 Pavels Jelisejevs (Inactive) 2013 Jan 02 17:11
        Resolved Resolved Reopened Reopened
        1d 18h 12m 1 Toms 2013 Jan 04 11:24
        Reopened Reopened Resolved Resolved
        21m 39s 1 Pavels Jelisejevs (Inactive) 2013 Jan 04 11:45
        Resolved Resolved Closed Closed
        28d 22m 1 Pavels Jelisejevs (Inactive) 2013 Feb 01 12:08

          People

          • Assignee:
            Unassigned
            Reporter:
            Pavels Jelisejevs (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: