Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the recurrence of Zabbix remote code execution vulnerability CVE-2020-11800, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Introduction to 0x00

Abbix is an enterprise-level open source solution based on WEB interface that provides distributed system monitoring and network monitoring capabilities. Zabbix can monitor various network parameters to ensure the safe operation of the server system, and provides a flexible notification mechanism to enable system administrators to quickly locate / solve various problems. Zabbix consists of two parts, zabbix server and optional component zabbix agent. Zabbix server can provide remote server / network status monitoring, data collection and other functions through SNMP,zabbix agent,ping, port monitoring and other methods. It can run on platforms such as Linux,Solaris,HP-UX,AIX,Free BSD,Open BSD,OS X.

Overview of 0x01 vulnerabilities

Zabbix Server's trapper command processing has a command injection vulnerability that can lead to remote code execution.

0x02 affects version

Zabbix 3.0.x~3.0.30

0x03 environment building

1. The manual construction of this vulnerability environment is complicated. Here, it is built using vulhub environment and downloaded.

Git clone https://github.com/vulhub/vulhub.git

2. Enter the vulnerability directory and use docker-compose to start a complete Zabbix environment, including the Web side, the server side, an Agent and Mysql database

Cd vulhub-master/zabbix/CVE-2020-11800

Docker-compose up-d

3. Use docker ps to check whether all boots are successful. Do not execute docker-compose up-d right away.

Access http://your-ip:8080 in browser successfully

Recurrence of 0x04 vulnerabilities

1. To exploit this vulnerability, the server needs to enable the auto-registration function and log in to the backend with the account password admin/zabbix.

Go to Configuration- > Actions, adjust Event source to Auto registration, then click Create action to create an Action with an arbitrary name

2. Then click Operation to create an Operation,type of "Add Host": then save

3. in this way, the automatic registration function is enabled.

4. There is an exploit script in the vulnerability directory in the downloaded vulhub. If you view poc, you can see that you are writing to a file. Use python3 to execute poc, and enter docker to check whether the write is successful.

Python3 exploit.py 172.16.1.147

0x05 repair recommendation

1. Upgrade to the latest version is recommended.

After reading the above, do you have any further understanding of the recurrence of the Zabbix remote code execution vulnerability CVE-2020-11800? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.