Hi James, On Fri, Dec 02, 2016 at 04:31:12PM +0000, James Cowgill wrote: > Hi, > > On Sun, 13 Nov 2016 21:23:30 +0100 Salvatore Bonaccorso <car...@debian.org> > wrote: > > On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote: > > > I'm not sure the subject is correct in stating that versions only > > > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php > > > it does not look yet fixed. Can you confirm? > > > > > > Is upstream actually aware of the issue? Is a fix available? > > > > From a quick test on a unstable vm this seem still the case for the > > current unstable version. > > https://support.zabbix.com/browse/ZBX-11483 > Quote from richlv (upstream): > > doesn't look like it - the exploit-db example logs in as Admin, then > > does script.update, followed by script.execute - it does not connect to > > the trapper port directly but goes through the frontend. > > > > that looks like somebody with the superadmin rights using a feature as > > intended... not sure anything can/should be done about it. > > Similarly, I'm not convinced there's a bug here at all.
Thanks for double checking this. If I understood the issue correctly, and quickly tried to reproduce, any superadmin for zabbix would get a shell (as the zabbix user) on the remote host. As I read in the upstream report there were now further comment, saying that zabbix super admins are allowed to define/update any custom shell commands. So maybe the CVE would need to be rejected. I will follow-up with that information on the oss-security thread where the CVE was assigned. Regards, Salvatore
