[ZBX-18362] Windows MSI for zabbix agent handles PSK user input insecurely Created: 2020 Sep 11  Updated: 2024 Apr 10  Resolved: 2021 Feb 14

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 5.0.3
Fix Version/s: 4.0.29rc1, 5.0.9rc1, 5.2.5rc1, 5.4.0alpha2, 5.4 (plan)

Type: Defect (Security) Priority: Trivial
Reporter: Martin Assignee: Artjoms Rimdjonoks
Resolution: Fixed Votes: 0
Labels: agent
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows amd64 (tested on Windows Server 2019)

Attachments: File zabbix_agent-5.0.8-x64.msi     File zabbix_agent-5.2.4-x64.msi     File zabbix_agent2-5.0.8-x64.msi.7z     File zabbix_agent2-5.2.4-x64.msi.7z    
Issue Links:
Sub-task
part of ZBXNEXT-6016 MSI Installer for Zabbix Agent2 Closed
Team: Team C
Sprint: Sprint 68 (Sep 2020), Sprint 69 (Oct 2020), Sprint 70 (Nov 2020), Sprint 71 (Dec 2020), Sprint 72 (Jan 2021), Sprint 73 (Feb 2021)
Story Points: 0.5

 Description   

Steps to reproduce:

  1. run zabbix_agent-5.0.3-windows-amd64-openssl.msi
  2. Next, accept license, next
  3. Check "Enable PSK", enter some string into the Zabbix Server field
  4. next
  5. enter some string into the field "Pre-shared key identity"
  6. enter "somekey&calc.exe" into the field "Pre-shared key value"
  7. next, next, install

Result:

Installation succeeds

C:\Programs\Zabbix Agent\psk.key is empty

Calculator is executed

Expected:

Installation succeeds

C:\Programs\Zabbix Agent\psk.key contains "somekey&calc.exe"

Further information:

The windows installer log ([Microsoft Docs - Enable Windows Installer Logging|https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/enable-windows-installer-logging)] shows this:

MSI (s) (6C:CC) [12:50:34:687]: PROPERTY CHANGE: Adding PSKFileDefCreate property. Its value is '"C:\Windows\system32\cmd.exe" /C echo somekey&calc.exe>"C:\Program Files\Zabbix Agent\psk.key"'.
Action ended 12:50:34: PSKFileDefCreate_cmd. Return value 1.
MSI (s) (6C:CC) [12:50:34:687]: Doing action: PSKFileDefCreate
Action 12:50:34: PSKFileDefCreate. 
Action start 12:50:34: PSKFileDefCreate.
PSKFileDefCreate: 
Action ended 12:50:34: PSKFileDefCreate. Return value 1.
MSI (s) (6C:CC) [12:50:34:703]: Doing action: PSKFileUserCreate_cmd
Action 12:50:34: PSKFileUserCreate_cmd. 
Action start 12:50:34: PSKFileUserCreate_cmd.
MSI (s) (6C:CC) [12:50:34:703]: PROPERTY CHANGE: Adding PSKFileUserCreate property. Its value is '"C:\Windows\system32\cmd.exe" /C echo somekey&calc.exe>""'.
Action ended 12:50:34: PSKFileUserCreate_cmd. Return value 1.
MSI (s) (6C:CC) [12:50:34:703]: Skipping action: PSKFileUserCreate (condition is false)
MSI (s) (6C:CC) [12:50:34:703]: Doing action: AgentService_Run
Action 12:50:34: AgentService_Run. 
Action start 12:50:34: AgentService_Run.
AgentService_Run: 
Action ended 12:50:34: AgentService_Run. Return value 1.


 Comments   
Comment by Alexander Vladishev [ 2021 Feb 02 ]

MSI packages with this fix will be available in release of 4.0.29, 5.0.9, 5.2.5.

Generated at Mon Jul 07 07:47:20 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.