[ZBX-1030] Remote commands execution in Zabbix Server. Created: 2009 Sep 10 Updated: 2017 May 30 Resolved: 2010 Jan 08 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Server (S) |
Affects Version/s: | None |
Fix Version/s: | 1.6.8 |
Type: | Incident report | Priority: | Blocker |
Reporter: | Igor Danoshaites (Inactive) | Assignee: | Alexander Vladishev |
Resolution: | Fixed | Votes: | 1 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
Has been found a security vulnerability in Zabbix Server, allowing remote unauthenticated users to execute OS commands. This was tested on Zabbbix 1.6.5 and Zabbbix 1.6.1 (as available in Ubuntu Jaunty). A feature allows the PHP front-end to execute on the server some scripts configured in the database. The front-end asks the database for the details of a script (including the OS command to run) and then send to the server a request including the command. As no restriction is made server-side on the caller of this functionality, it is trivial to execute code on any reachable Zabbix Server. When a connection is made to a listening server, the header is checked and the content of the data is compared to several keywords. If data begins with "Command", the node_process_command() function is called. This function checks that the "nodeid" value received in the packet is equal to the "NodeID" value defined in the config file. Then, execute_script() is called and a call to popen() with the user-supplied command is made. As a bonus for the attacker, result of the command is sent back. |
Comments |
Comment by Alexander Vladishev [ 2009 Dec 07 ] |
Fixed in ver. pre1.8 |
Comment by Romeo Theriault [ 2009 Dec 18 ] |
Hello, I'm wondering if there are any plans to integrate this fix into the 1.6 branch? Thank you |
Comment by Alexei Vladishev [ 2009 Dec 18 ] |
Yes, this will be integrated to 1.6 as well. |
Comment by richlv [ 2010 Feb 04 ] |
changes from the dev branch work ok in 1.6 branch, can be merged (to 1.6 only, already in 1.8 and trunk) |
Comment by Alexander Vladishev [ 2010 Feb 04 ] |
Fixed in version pre1.6.9, revision 9900. |