SQL injection vulnerability in Zabbix

SEC Consult Vulnerability Lab Security Advisory < 20131004-0 >

=======================================================================

title: SQL injection vulnerability

product: Zabbix

vulnerable version: <=2.0.8

fixed version: 2.0.9rc1

CVE number: CVE-2013-5743

impact: critical

homepage: www.zabbix.com

found: 2013-09-03

by: Bernhard Schildendorfer

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"Zabbix is the ultimate open source availability and performance monitoring

solution. Zabbix offers advanced monitoring, alerting, and visualization

features today which are missing in other monitoring systems, even some of the

best commercial ones."

Source: www.zabbix.com/product.php

Business recommendation:

------------------------

By exploiting this SQL injection vulnerability, an authenticated attacker (or

guest user) is able to gain full access to the database. This causes a

privilege escalation to power users as well as a possible compromise of the

database and operating system the database is running on.

Because of the functionalities Zabbix offers, an attacker with admin

privileges could be able (depending on the actual configuration) to execute

arbitrary OS commands on the configured Zabbix hosts. This results in a severe

impact to the monitored infrastructure.

Although the attacker needs to be authenticated in general, the system could

also be at risk if the adversary has no user account. Zabbix offers a guest

mode which provides a low privileged default account for users without

password. If this guest mode is enabled, the SQL injection vulnerability can

be exploited unauthenticated.

Vulnerability overview/description:

-----------------------------------

The PHP JSON API provides access to different classes which lack input

validation of some of their parameters. This can be exploited to inject into

SQL query statements. By exploiting this vulnerability, an attacker gains

access to all records stored in the database with the privileges of the Zabbix

database user.

Proof of concept:

-----------------

The affected PHP file api_jsonrpc.php handles JSON requests to the Zabbix API

which get, after passing to class.cjsonrpc.php, dispatched by

class.czbxrpc.php to the actual (vulnerable) API classes located in

/frontends/php/api/classes/*.

The example proof of concept exploit has been removed from this advisory.

A quick search in the source code revealed, that at least the following

methods are also vulnerable with the given parameters. Not all of them were

tested:

 - alert.get    // parameter: time_from, time_till
 - event.get    // parameter: object, source, eventid_from, eventid_till
 - graphitem.get  // parameter: type
 - graph.get      // parameter: type
 - graphprototype.get  // parameter: type
 - history.get         // parameter: time_from, time_till
 - trigger.get    // parameter: lastChangeSince, lastChangeTill, min_severity
 - triggerprototype.get  // parameter: min_severity
 - usergroup.get         // parameter: status

Because no prepared statements are used to query the database, further

injection points may be in place where prior validation fails.

Vulnerable / tested versions:

-----------------------------

Zabbix 2.0.8

Vendor contact timeline:

------------------------

2013-09-10: Contacting vendor through sales@zabbix.com

2013-09-10: Initial vendor response

2013-09-10: Forwarding security advisory to vendor

2013-09-10: Vendor acknowledges that the advisory was received

2013-09-11: Vendor confirmed the issue