[ZBX-4529] Some shell metachars not escaped when call alert script Created: 2012 Jan 09  Updated: 2017 May 30  Resolved: 2015 May 19

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Server (S)
Affects Version/s: 1.8.10
Fix Version/s: 2.0.15rc1, 2.2.10rc1, 2.4.6rc1, 2.5.0

Type: Incident report Priority: Major
Reporter: Pavel Assignee: Unassigned
Resolution: Fixed Votes: 5
Labels: actions, escaping
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File zabbix-1.8-r50496-execute_script_media_by_execvp.patch     File zabbix-2.0-r50496-execute_script_media_by_execvp.patch     File zabbix-2.2-r50496-execute_script_media_by_execvp.patch     File zabbix-2.4-r50496-execute_script_media_by_execvp.patch    
Issue Links:
Duplicate

 Description   

When alerter call external script, it can pass some information including last item value as commandline arguments.
Item value can contain some information out of zabbix administrator countrol such as web page content.
And when this information pass to commandline, shell meta-characters such as '$', '~', '@' and even '`' not escaped.
Due to this, hacker can execute arbitrary code on zabbix server if he has access to monitored web-page, alert action configured as external script, last value included in the message body and item value is web page content.

Solution I propose is to call external scripts by exec() function and not via "/bin/sh -c".
Another solution - pass message body to external script via stdin - is not solve the same (hypothetic) problem with subject.
Escape all shell meta-characters before call script seems ugly for me.

 Comments   
Comment by Pavel [ 2013 Sep 09 ]

Escape all metacharacters in script arguments seems not so ugly for me now.

Comment by Takanori Suzuki [ 2014 Nov 07 ]

Action subject and message can include "{ITEM.VALUE[1-9]}" and it's difficult for admin to escape the content of the macro.
Especially if there is active check item, other people in monitoring target machine can send data by zabbix_sender command.
It can be problem.

So, I made patches executing script media by execvp() instead of current implementation.
Other executing functions use existing zbx_execute() function, so other behavior will not change.
I made for 1.8, 2.0, 2.2 and 2.4 branch at revision 50496.
By execvp(), users don't have to parse action subject and message.
It prevent to get command injection.

Comment by Andris Zeila [ 2015 May 11 ]

The simplest solution would be to use strong quoting for script arguments (escaping ' with '\'').

Comment by Andris Zeila [ 2015 May 11 ]

Fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-4529

Comment by Alexander Vladishev [ 2015 May 19 ]

Successfully tested! Take a look at my changes in r53653.

wiper reviewed, thanks

Comment by Andris Zeila [ 2015 May 19 ]

Released in:

  • pre-2.0.15rc1 r53655
  • pre-2.2.10rc1 r53656
  • pre-2.4.6rc1 r53657
  • pre-2.5.0 r53658
Generated at Sat Apr 20 05:27:12 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.