what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Zabbix 3.0.3 SQL Injection

Zabbix 3.0.3 SQL Injection
Posted Aug 12, 2016
Authored by 1N3

Zabbix version 3.0.3 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | e66499a7042cb8648e12f24179f33ad12b968d3990953a0c243addd146feb69e

Zabbix 3.0.3 SQL Injection

Change Mirror Download
==========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: https://www.zabbix.com
Patch link: https://support.zabbix.com/browse/ZBX-11023
Credit: 1N3@CrowdShield
==========================================


Vendor Description:
=====================
Zabbix is an open source availability and performance monitoring solution.


Vulnerability Overview:
=====================
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.


Business Impact:
=====================
By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.

Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.


Proof of Concept:
=====================

latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1

Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
latest.php:746 a require_once() a CProfile::flush() a CProfile::insertDB() a DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185


Disclosure Timeline:
=====================

7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close