Zabbix security: Execute the command to obtain the shell after cracking the weak password.

Zabbix security: Execute the command to obtain the shell after cracking the weak password.

If your Zabbix Admin password is too weak or you use the default password (Admin/zabbix) and the password is cracked by a hacker, The Zabbix server is no longer resistant to hackers. Hackers can create "system. run [command, <mode>]" to execute commands, or even obtain the Server shell and root permissions.

First, we will introduce "system. run [command, <mode>]". This metric item comes with the agent, allowing zabbix server to remotely execute arbitrary commands on the agent machine. There are two methods: one is to establish a monitoring item, and the other is to directly remotely call the zabbix_get command. EnableRemoteCommands = 1 must be set in the configuration file to enable the agent. The Command Execution permission is limited to the startup user of zabbix agent. If you set the startup user of the agent to root (AllowRoot = 1) for convenience, this is very dangerous.

The following is a simulated scenario where hackers obtain the Zabbix Admin password and how to obtain the shell or even root permissions of the server:

Use the NetCat (nc) command to open the shell. If your system is a RedHat/CentOS series, nc can be downloaded through yum.

Choose Administration> Scripts to create a script, such:

Select Zabbix server for "Execute on", and enter the following in "Commands:

Mkfifo/tmp/tmp_prop OCAT/tmp/tmp_fifo |/bin/bash-I 2> & 1 | nc-l 2222>/tmp/tmp_fifo indicates opening a shell, listen to port 2222.

Go to the Dashboard page and click a Host. A "Scripts" tab is displayed. Click "create shell" created above to execute the preceding command.

On the zabbix server, you can see that port 2222 is listening.

Next we will connect to the server's shell using the nc command on our machine:

It indicates that we have successfully obtained the shell of the zabbix server and the root permission! This is because my zabbix server is started as root.

The following describes how to reinforce zabbix security to prevent this situation:

1. the logon password of zabbix must be complex. Do not use the default password or weak password.

2. Do not start zabbix server and agent as root, and do not set AllowRoot = 1.

3. Disable the agent from executing system. run. Do not set EnableRemoteCommands to 1.

4. Frequent security patches. If the system kernel version is too low and there is a vulnerability, the root permission can be obtained even under zabbix users.