[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability
From: 1n3@xxxxxxxxxxxx
Date: Thu, 11 Aug 2016 17:23:23 -0700

=========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com 
Patch link: https://support.zabbix.com/browse/ZBX-11023 
Credit: 1N3@CrowdShield 
==========================================
 
 
Vendor Description:
=====================
Zabbix is an open source availability and performance monitoring solution. 
 
 
Vulnerability Overview:
=====================
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability 
due to a failure to sanitize input in the toggle_ids array in the latest.php 
page.
 
 
Business Impact:
=====================
By exploiting this SQL injection vulnerability, an authenticated attacker (or 
guest user) is able to gain full access to the database. This would allow an 
attacker to escalate their privileges to a power user, compromise the database, 
or execute commands on the underlying database operating system.
 
Because of the functionalities Zabbix offers, an attacker with admin privileges 
(depending on the configuration) can execute arbitrary OS commands on the 
configured Zabbix hosts and server. This results in a severe impact to the 
monitored infrastructure.
 
Although the attacker needs to be authenticated in general, the system could 
also be at risk if the adversary has no user account. Zabbix offers a guest 
mode which provides a low privileged default account for users without 
password. If this guest mode is enabled, the SQL injection vulnerability can be 
exploited unauthenticated.
 
 
Proof of Concept:
=====================
 
latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385);
 select * from users where (1=1

Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, 
idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users 
where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → 
DBexecute() in 
/home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185


Disclosure Timeline:
=====================

7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after 
a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability
  - From: Brandon Perry

Prev by Date: [FD] Directory Traversal Vulnerability in ColoradoFTP v1.3 Prime Edition (Build 8)
Next by Date: [FD] RCE in Teamspeak 3 server
Previous by thread: [FD] Directory Traversal Vulnerability in ColoradoFTP v1.3 Prime Edition (Build 8)
Next by thread: Re: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability
Index(es):
- Date
- Thread