[ZBX-1032] Bypassing EnableRemoteCommands=0 in Zabbix Client. Created: 2009 Sep 10 Updated: 2017 May 30 Resolved: 2009 Sep 24 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G) |
Affects Version/s: | None |
Fix Version/s: | 1.6.6, 1.9.0 (alpha) |
Type: | Incident report | Priority: | Blocker |
Reporter: | Igor Danoshaites (Inactive) | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
Has been found a security vulnerability in Zabbix Client allowing to execute OS commands, even if EnableRemoteCommands is set to "0". This was tested on Zabbbix 1.6.5. The IP address check is not bypassed, so the attacker must come from (or spoof) a valid Zabbix Server. This bug exists only in FreeBSD and Solaris agents. In ./src/libs/zbxsysinfo/(freebsd|solaris)/net.c, a user defined variable "param" is used to create "command" which is executed. Exploit : This will execute "id" on the client and write the result to /tmp/ID. |
Comments |
Comment by Alexander Vladishev [ 2009 Sep 24 ] |
Fixed in branches 1.6 (pre1.6.7) and trunk, revision 7961. |
Comment by Igor Danoshaites (Inactive) [ 2009 Nov 20 ] |
This patch seems to be fine. |