Continuous Attack Surface Management (ASM) and reduction has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the attack surface with Sn1per Professional v9.0.
==========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com
Patch link: https://support.zabbix.com/browse/ZBX-11023
Credit: [email protected]
==========================================
Vendor Description:
=====================
Zabbix is an open source availability and performance monitoring solution.
Vulnerability Overview:
=====================
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in
the toggle_ids array in the latest.php page.
Business Impact:
=====================
By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access
to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database,
or execute commands on the underlying database operating system.
Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can
execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the
monitored infrastructure.
Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no
user account. Zabbix offers a guest mode which provides a low privileged default account for users without password.
If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.
Proof of Concept:
=====================
latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1,
'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-
svn/branches/2.2/frontends/php/include/profiles.inc.php:185
Disclosure Timeline:
=====================
7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed
After hearing about the latest Jooma RCE vulnerability which affects Joomla 1.5 – 3.4.5, I decided to do some research to try to understand how this vulnerability actually works. After many failed attempts, lots of confusion and frustration, I beat the urge to give up and was finally able to setup a test VM and exploit the vulnerability using a manual/custom approach (no pre-built exploits). My results are below for educational purposes only.
WHAT’S REQUIRED?
A vulnerable version of Joomla from 1.5.0 to 3.4.5
A vulnerable version of PHP before 5.4.45 (including 5.3.x), 5.5.29 or 5.6.13.