Bug#842702: zabbix: CVE-2016-9140: API JSON-RPC remote code execution
Hi James, On Fri, Dec 02, 2016 at 04:31:12PM +, James Cowgill wrote: > Hi, > > On Sun, 13 Nov 2016 21:23:30 +0100 Salvatore Bonaccorso> wrote: > > On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote: > > > I'm not sure the subject is correct in stating that versions only > > > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php > > > it does not look yet fixed. Can you confirm? > > > > > > Is upstream actually aware of the issue? Is a fix available? > > > > From a quick test on a unstable vm this seem still the case for the > > current unstable version. > > https://support.zabbix.com/browse/ZBX-11483 > Quote from richlv (upstream): > > doesn't look like it - the exploit-db example logs in as Admin, then > > does script.update, followed by script.execute - it does not connect to > > the trapper port directly but goes through the frontend. > > > > that looks like somebody with the superadmin rights using a feature as > > intended... not sure anything can/should be done about it. > > Similarly, I'm not convinced there's a bug here at all. Thanks for double checking this. If I understood the issue correctly, and quickly tried to reproduce, any superadmin for zabbix would get a shell (as the zabbix user) on the remote host. As I read in the upstream report there were now further comment, saying that zabbix super admins are allowed to define/update any custom shell commands. So maybe the CVE would need to be rejected. I will follow-up with that information on the oss-security thread where the CVE was assigned. Regards, Salvatore
Bug#842702: zabbix: CVE-2016-9140: API JSON-RPC remote code execution
Hi, On Sun, 13 Nov 2016 21:23:30 +0100 Salvatore Bonaccorsowrote: > On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote: > > I'm not sure the subject is correct in stating that versions only > > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php > > it does not look yet fixed. Can you confirm? > > > > Is upstream actually aware of the issue? Is a fix available? > > From a quick test on a unstable vm this seem still the case for the > current unstable version. https://support.zabbix.com/browse/ZBX-11483 Quote from richlv (upstream): > doesn't look like it - the exploit-db example logs in as Admin, then > does script.update, followed by script.execute - it does not connect to > the trapper port directly but goes through the frontend. > > that looks like somebody with the superadmin rights using a feature as > intended... not sure anything can/should be done about it. Similarly, I'm not convinced there's a bug here at all. Thanks, James signature.asc Description: OpenPGP digital signature
Bug#842702: zabbix: CVE-2016-9140: API JSON-RPC remote code execution
Control: found -1 1:3.0.5+dfsg-1 Hi, On Sun, Nov 13, 2016 at 09:00:58PM +0100, Salvatore Bonaccorso wrote: > Control: retitle -1 zabbix: CVE-2016-9140: API JSON-RPC remote code execution > Control: found -1 1:2.2.7+dfsg-2 > Control: tags -1 + upstream security > > Hi > > I'm not sure the subject is correct in stating that versions only > below 3.0.3 are affected. Looking from the changes in api_jsonrpc.php > it does not look yet fixed. Can you confirm? > > Is upstream actually aware of the issue? Is a fix available? >From a quick test on a unstable vm this seem still the case for the current unstable version. Regards, Salvatore