Bug#842702: zabbix: CVE-2016-9140: API JSON-RPC remote code execution

[Salvatore Bonaccorso]

Hi James,

On Fri, Dec 02, 2016 at 04:31:12PM +, James Cowgill wrote:
> Hi,
> 
> On Sun, 13 Nov 2016 21:23:30 +0100 Salvatore Bonaccorso  
> wrote:
> > On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote:
> > > I'm not sure the subject is correct in stating that versions only
> > > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php
> > > it does not look yet fixed. Can you confirm?
> > > 
> > > Is upstream actually aware of the issue? Is a fix available?
> > 
> > From a quick test on a unstable vm this seem still the case for the
> > current unstable version.
> 
> https://support.zabbix.com/browse/ZBX-11483
> Quote from richlv (upstream):
> > doesn't look like it - the exploit-db example logs in as Admin, then
> > does script.update, followed by script.execute - it does not connect to
> > the trapper port directly but goes through the frontend.
> > 
> > that looks like somebody with the superadmin rights using a feature as
> > intended... not sure anything can/should be done about it.
> 
> Similarly, I'm not convinced there's a bug here at all.

Thanks for double checking this. If I understood the issue correctly,
and quickly tried to reproduce, any superadmin for zabbix would get a
shell (as the zabbix user) on the remote host. As I read in the
upstream report there were now further comment, saying that zabbix
super admins are allowed to define/update any custom shell commands.

So maybe the CVE would need to be rejected.

I will follow-up with that information on the oss-security thread
where the CVE was assigned.

Regards,
Salvatore

Bug#842702: zabbix: CVE-2016-9140: API JSON-RPC remote code execution

[James Cowgill]

Hi,

On Sun, 13 Nov 2016 21:23:30 +0100 Salvatore Bonaccorso  
wrote:
> On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote:
> > I'm not sure the subject is correct in stating that versions only
> > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php
> > it does not look yet fixed. Can you confirm?
> > 
> > Is upstream actually aware of the issue? Is a fix available?
> 
> From a quick test on a unstable vm this seem still the case for the
> current unstable version.

https://support.zabbix.com/browse/ZBX-11483
Quote from richlv (upstream):
> doesn't look like it - the exploit-db example logs in as Admin, then
> does script.update, followed by script.execute - it does not connect to
> the trapper port directly but goes through the frontend.
> 
> that looks like somebody with the superadmin rights using a feature as
> intended... not sure anything can/should be done about it.

Similarly, I'm not convinced there's a bug here at all.

Thanks,
James



signature.asc
Description: OpenPGP digital signature

Bug#842702: zabbix: CVE-2016-9140: API JSON-RPC remote code execution

[Salvatore Bonaccorso]

Control: found -1 1:3.0.5+dfsg-1

Hi,

On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote:
> Control: retitle -1 zabbix: CVE-2016-9140: API JSON-RPC remote code execution
> Control: found -1 1:2.2.7+dfsg-2
> Control: tags -1 + upstream security
> 
> Hi
> 
> I'm not sure the subject is correct in stating that versions only
> below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php
> it does not look yet fixed. Can you confirm?
> 
> Is upstream actually aware of the issue? Is a fix available?

>From a quick test on a unstable vm this seem still the case for the
current unstable version.

Regards,
Salvatore