[ZBX-7479] Possible shell command injection Created: 2013 Dec 03  Updated: 2020 Jul 16  Resolved: 2014 Dec 15

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 1.8.18, 2.0.9, 2.2.0
Fix Version/s: 1.8.19rc1, 2.0.10rc1, 2.2.1rc1, 2.3.0

Type: Defect (Security) Priority: Blocker
Reporter: Alexander Vladishev Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File zbx-7479-1.8.18.patch     File zbx-7479-1.8.2.patch     File zbx-7479-2.0.9.patch     File zbx-7479-2.2.0.patch    
Issue Links:
Duplicate

 Description   

-------------------------
Vulnerability description
-------------------------

Zabbix agent is vulnerable to remote command execution from the Zabbix server in some cases.

Please use CVE-2013-6824 to refer to this vulnerability.

This vulnerability has been reported by Recurity Labs Team.

-------
Details
-------

If a flexible (accepting parameters) user parameter is configured in the agent, including a newline in the parameters will execute newline section as a separate command even if UnsafeUserParameters are disabled.
This type of attack is only possible from Zabbix server or Zabbix proxy systems that are explicitly allowed in the agent configuration. Only flexible user parameters are vulnerable, static ones are not.

For example, a user parameter as the following would accept some prameters:

UserParameter=vfs.dir.size[*],du s -B 1 "${1:/tmp}" | cut -f1

The following would result in the 'id' command being executed:

echo -e "vfs.dir.size[\nid\n]" | nc localhost 10050

-----------------
Affected versions
-----------------

All of the Zabbix versions are vulnerable to this type of attacks.

--------------
Fixed versions
--------------

These vulnerabilities have been fixed in the latest releases of Zabbix.

The fix is available in the following Zabbix releases
2.2.1
2.0.10
1.8.19

Additionally, patches are available for the following Zabbix versions:
2.0.9 (also applicable to 2.0.8)
1.8.18
1.8.2

 Comments   
Comment by Alexander Vladishev [ 2013 Dec 03 ]

Fixed in pre-1.8.19 r40710, pre-2.0.10 r40712, pre-2.2.1 r40713 and pre-2.3.0 (trunk) r40714

Comment by Alexander Vladishev [ 2013 Dec 03 ]

Windows pre-compiled agents are available in:

  • branches/1.8 r40717
  • branches/2.0 r40718
  • branches/2.2 r40719
  • trunk r40720
Comment by Volker Fröhlich [ 2013 Dec 05 ]

Patched in 2.0.9-2 and 1.8.18-2 releases of zabbix and zabbix20 in EPEL 5 and 6 and Fedora 19 and up.

Comment by richlv [ 2014 Dec 12 ]

(1) documentation was not updated. as newline is not a very printable character, i'd suggest appending a line similar to this :
"Additionally, newline is not allowed either."

martins-v Added in the respective places, please review.. RESOLVED.

<richlv> looks good to me, CLOSED

Generated at Fri Apr 26 08:57:57 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.