漏洞预警:Zabbix高危SQL注入漏洞,可获取系统权限

漏洞概述

zabbix是一个开源的企业级性能监控解决方案。

官方网站:http://www.zabbix.com

zabbix的jsrpc的profileIdx2参数存在insert方式的SQL注入漏洞,原文说是:“攻击者无需授权登陆即可登陆zabbix管理系统,也可通过script等功能轻易直接获取zabbix服务器的操作系统权限。“

但经过棱安全团队的测试发现注入的前提是需要登陆的。 不需要登陆是因为 zabbix 开启了guest权限,才可注入;而guest账号默认密码是空的

影响程度

攻击成本:低

危害程度:高

是否登陆:不需要(guest权限下)

影响范围:2.2.x, 3.0.0-3.0.3。(其他版本未经测试)

3

漏洞测试

在您的zabbix的地址后面加上如下url:

20160818114635

输出结果,出现如下内容(包含:You have an error in your SQL syntax;)表示漏洞存在:

2

test

参考POC

==========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com 
Patch link: https://support.zabbix.com/browse/ZBX-11023 
Credit: 1N3@CrowdShield 
==========================================
 
 
Vendor Description:
=====================
Zabbix is an open source availability and performance monitoring solution. 
 
 
Vulnerability Overview:
=====================
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.
 
 
Business Impact:
=====================
By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.
 
Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.
 
Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.
 
 
Proof of Concept:
=====================
 
latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1

Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185


Disclosure Timeline:
=====================

7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed

补充

以上为仅为漏洞验证测试方式。

攻击者可以通过进一步构造语句进行错误型sql注射,获取和破解加密的管理员密码。

特定环境下可以直接通过获取admin的sessionid来根据结构算法构造sid,替换cookie直接以管理员身份登陆。

修复方案

尽快升级到最新版,据说3.0.4版本已经修补。

禁用guest账户

安全提示

监控系统监控着每个企业的核心资产,一旦被黑客入侵控制,等同帮助黑客进一步渗透企业敞开了大门。

请大家务必重视,并尽快修补此漏洞。

漏洞报告详情:http://seclists.org/fulldisclosure/2016/Aug/82

参考

三矛科技

http://seclists.org/fulldisclosure/2016/Aug/82

https://www.exploit-db.com/exploits/40237/

原创文章,作者:懋彤信息科技,如若转载,请注明出处:http://www.mottoin.com/news/87500.html

发表评论

登录后才能评论

评论列表(2条)

联系我们

021-62666911

在线咨询:点击这里给我发消息

邮件:root@mottoin.com

工作时间:周一至周五,9:30-18:30,节假日休息

QR code