Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-7479

Possible shell command injection

XMLWordPrintable

      -------------------------
      Vulnerability description
      -------------------------

      Zabbix agent is vulnerable to remote command execution from the Zabbix server in some cases.

      Please use CVE-2013-6824 to refer to this vulnerability.

      This vulnerability has been reported by Recurity Labs Team.

      -------
      Details
      -------

      If a flexible (accepting parameters) user parameter is configured in the agent, including a newline in the parameters will execute newline section as a separate command even if UnsafeUserParameters are disabled.
      This type of attack is only possible from Zabbix server or Zabbix proxy systems that are explicitly allowed in the agent configuration. Only flexible user parameters are vulnerable, static ones are not.

      For example, a user parameter as the following would accept some prameters:

      UserParameter=vfs.dir.size[*],du s -B 1 "${1:/tmp}" | cut -f1

      The following would result in the 'id' command being executed:

      echo -e "vfs.dir.size[\nid\n]" | nc localhost 10050

      -----------------
      Affected versions
      -----------------

      All of the Zabbix versions are vulnerable to this type of attacks.

      --------------
      Fixed versions
      --------------

      These vulnerabilities have been fixed in the latest releases of Zabbix.

      The fix is available in the following Zabbix releases
      2.2.1
      2.0.10
      1.8.19

      Additionally, patches are available for the following Zabbix versions:
      2.0.9 (also applicable to 2.0.8)
      1.8.18
      1.8.2

        1. zbx-7479-1.8.18.patch
          2 kB
          Alexander Vladishev
        2. zbx-7479-1.8.2.patch
          2 kB
          Alexander Vladishev
        3. zbx-7479-2.0.9.patch
          2 kB
          Alexander Vladishev
        4. zbx-7479-2.2.0.patch
          2 kB
          Alexander Vladishev

            Unassigned Unassigned
            sasha Alexander Vladishev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: