[ZBX-1032] Bypassing EnableRemoteCommands=0 in Zabbix Client. Created: 2009 Sep 10  Updated: 2017 May 30  Resolved: 2009 Sep 24

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: None
Fix Version/s: 1.6.6, 1.9.0 (alpha)

Type: Incident report Priority: Blocker
Reporter: Igor Danoshaites (Inactive) Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Has been found a security vulnerability in Zabbix Client allowing to execute OS commands, even if EnableRemoteCommands is set to "0". This was tested on Zabbbix 1.6.5. The IP address check is not bypassed, so the attacker must come from (or spoof) a valid Zabbix Server. This bug exists only in FreeBSD and Solaris agents.

In ./src/libs/zbxsysinfo/(freebsd|solaris)/net.c, a user defined variable "param" is used to create "command" which is executed.

Exploit :
$> echo "net.tcp.listen[80';id >/tmp/ID ; echo ']"|nc testbox 10050

This will execute "id" on the client and write the result to /tmp/ID.



 Comments   
Comment by Alexander Vladishev [ 2009 Sep 24 ]

Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7961.

Comment by Igor Danoshaites (Inactive) [ 2009 Nov 20 ]

This patch seems to be fine.
Thank you from the user who installed it.

Generated at Fri Mar 29 08:07:26 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.