zabbix CVE-2013-6824

没穿底裤 2020年1月1日00:01:27评论477 views字数 2585阅读8分37秒阅读模式
摘要

Vulnerability description
-------------------------Zabbix agent is vulnerable to remote command execution from the Zabbix server in some cases.

Vulnerability description
-------------------------

Zabbix agent is vulnerable to remote command execution from the Zabbix server in some cases.

Please use CVE-2013-6824 to refer to this vulnerability.

This vulnerability has been reported by Recurity Labs Team.

-------
Details
-------

If a flexible (accepting parameters) user parameter is configured in the agent, including a newline in the parameters will execute newline section as a separate command even if UnsafeUserParameters are disabled.
This type of attack is only possible from Zabbix server or Zabbix proxy systems that are explicitly allowed in the agent configuration. Only flexible user parameters are vulnerable, static ones are not.

For example, a user parameter as the following would accept some prameters:

UserParameter=vfs.dir.size[*],du -s -B 1 "${1:-/tmp}" | cut -f1

The following would result in the 'id' command being executed:

echo -e "vfs.dir.size[/nid/n]" | nc localhost 10050

patch:
[php]
Index: src/libs/zbxsysinfo/sysinfo.c
===================================================================
--- src/libs/zbxsysinfo/sysinfo.c (revision 40346)
+++ src/libs/zbxsysinfo/sysinfo.c (working copy)
@@ -320,13 +320,49 @@
test_parameter(commands[i].key, PROCESS_TEST | PROCESS_USE_TEST_PARAM);
}

+static int zbx_check_user_parameter(const char *param, char *error, int max_err_len)
+{
+ const char suppressed_chars[] = "//'/"`*?[]{}~$!&;()<>|#@/n", *c;
+ char *buf = NULL;
+ int buf_alloc = 128, buf_offset = 0;
+
+ if (0 != CONFIG_UNSAFE_USER_PARAMETERS)
+ return SUCCEED;
+
+ for (c = suppressed_chars; '/0' != *c; c++)
+ {
+ if (NULL == strchr(param, *c))
+ continue;
+
+ buf = zbx_malloc(buf, buf_alloc);
+
+ for (c = suppressed_chars; '/0' != *c; c++)
+ {
+ if (c != suppressed_chars)
+ zbx_strcpy_alloc(&buf, &buf_alloc, &buf_offset, ", ");
+
+ if (0 != isprint(*c))
+ zbx_chrcpy_alloc(&buf, &buf_alloc, &buf_offset, *c);
+ else
+ zbx_snprintf_alloc(&buf, &buf_alloc, &buf_offset, 5, "0x%02x", *c);
+ }
+
+ zbx_snprintf(error, max_err_len, "special characters /"%s/" are not allowed in the parameters", buf);
+
+ zbx_free(buf);
+
+ return FAIL;
+ }
+
+ return SUCCEED;
+}
+
static int replace_param(const char *cmd, const char *param, char *out, int outlen, char *error, int max_err_len)
{
int ret = SUCCEED;
char buf[MAX_STRING_LEN];
char command[MAX_STRING_LEN];
register char *pl, *pr;
- const char suppressed_chars[] = "//'/"`*?[]{}~$!&;()<>|#@/0", *c;

assert(out);

@@ -357,23 +393,10 @@
{
get_param(param, (int)(pr[1] - '0'), buf, MAX_STRING_LEN);

- if (0 == CONFIG_UNSAFE_USER_PARAMETERS)
- {
- for (c = suppressed_chars; '/0' != *c; c++)
- if (NULL != strchr(buf, *c))
- {
- zbx_snprintf(error, max_err_len, "Special characters '%s'"
- " are not allowed in the parameters",
- suppressed_chars);
- ret = FAIL;
- break;
- }
- }
+ if (SUCCEED != (ret = zbx_check_user_parameter(buf, error, max_err_len)))
+ break;
}

- if (FAIL == ret)
- break;
-
zbx_strlcat(out, buf, outlen);
outlen -= MIN((int)strlen(buf), (int)outlen);[/php]

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日00:01:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   zabbix CVE-2013-6824http://cn-sec.com/archives/75309.html

发表评论

匿名网友 填写信息