[ZBX-10741] included to sources user param mysql.size[] produces error on some shells Created: 2016 May 02 Updated: 2020 Jul 16 Resolved: 2016 May 11 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | Agent (G) |
Affects Version/s: | 2.0.17, 2.2.12, 3.0.2 |
Fix Version/s: | 2.0.18rc1, 2.2.13rc1, 3.0.3rc1, 3.2.0alpha1 |
Type: | Defect (Security) | Priority: | Blocker |
Reporter: | Oleksii Zagorskyi | Assignee: | Unassigned |
Resolution: | Fixed | Votes: | 1 |
Labels: | security, userparameters | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
It has been added to "userparameter_mysql.conf" in When executing user parameters, zabbix agent execute provided command using /bin/sh path to shell. # zabbix_get -s localhost -k mysql.size[] sh: 1: [[: not found sh: 1: : Permission denied sh: 1: [[: not found sh: 1: : Permission denied 9154856857 # zabbix_get -s localhost -k mysql.size[uname] sh: 1: [[: not found uname: extra operand ‘]]’ Try 'uname --help' for more information. sh: 1: [[: not found sh: 1: : Permission denied 9154856857 # zabbix_get -s localhost -k mysql.size[,uname] sh: 1: [[: not found sh: 1: : Permission denied sh: 1: [[: not found uname: extra operand ‘]]’ Try 'uname --help' for more information. 9154856857 Moreover - 1st and 2nd key params will be executed as commands with "]]" as command parameter, which may be considered as a small vulnerability. To fix this issue for dash I suggest to rewrite the user parameter a bit. UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N suggested one: UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([ "$1" = "all" ] || [ ! "$1" ] || echo " where table_schema='$1'")$([ "$2" = "all" ] || [ ! "$2" ] || echo " and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N (note - an additional space added for better SQL syntax) I've tested suggested change on other available shells (on Debian 8), results:
As an idea, I've tried to add "bash" as a prefix for the complete command line. UserParameter=mysql.size[*],bash -c 'echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema=\"$1\"")$([[ "$2" = "all" || ! "$2" ]] || echo " and table_name=\"$2\"");" | HOME=/var/lib/zabbix mysql -N' (also - single quotes have been changed to double quotes and escaped) Need to decide which way we will go. |
Comments |
Comment by Oleksii Zagorskyi [ 2016 May 02 ] |
Issue was initially discovered by Henri Salo and Timo Lindfors, we should give credits. |
Comment by richlv [ 2016 May 02 ] |
thank you for looking into this. note that this works on dash and probably most modern shells, but isn't old bourne sh compatible still because of $() |
Comment by Henri Salo [ 2016 May 03 ] |
Please use CVE-2016-4338 for this issue. Timo Lindfors discovered this issue and I coordinated with vendor. |
Comment by Oleksii Zagorskyi [ 2016 May 03 ] |
I personally would go with the 1st suggested fix. |
Comment by Andris Zeila [ 2016 May 05 ] |
Ideally it should be patched by distros, depending on shells their are providing. For us explicitly using bash seem to be safer call. |
Comment by Andris Zeila [ 2016 May 05 ] |
Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-10741 |
Comment by Andris Zeila [ 2016 May 09 ] |
Released in:
|
Comment by Andris Zeila [ 2016 May 09 ] |
Documented in:
sasha CLOSED |