Advertisement






Zabbix Agent 6.2.7 Insecure Permissions / Privilege Escalation

CVE Category Price Severity
Author Risk Exploitation Type Date
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023020030

Below is a copy:

Zabbix Agent 6.2.7 Insecure Permissions / Privilege Escalation
# Exploit Title: Zabbix agents - Insecure Permissions on non-default installation directory location
# Discovery by: mmg
# Discovery Date: 2023-01-23
# Vendor Homepage: https://www.zabbix.com/download_agents
# Software Link Zabbix agent : https://cdn.zabbix.com/zabbix/binaries/stable/6.2/6.2.7/zabbix_agent-6.2.7-windows-amd64-openssl.msi
# Software Link Zabbix agent 2 : https://cdn.zabbix.com/zabbix/binaries/stable/6.2/6.2.7/zabbix_agent2-6.2.7-windows-amd64-openssl.msi
# Tested Version: Zabbix agent and Zabbix agent 2 (v6.2.6, v6.2.7 and older versions)
# Vulnerability Type: Local Privilege Escalation
# Tested on OS: Windows 10 Pro Version 22H2 (OS Build 19045.2486) x64 version
# CVSSv3 Vectors : https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
# CVE N/A


# Step to discover:

Go to Start and type powershell.
Enter the following command and press Enter:
Get-WmiObject win32_service | ?{ $_.Name -like '*zabbix*' -and $_.Pathname -notlike "*C:\Program Files*"}| select Name,PathName

# Example of a vulnerable installation

Name           PathName
----           --------
Zabbix Agent   "C:\Software\Zabbix Agent\zabbix_agentd.exe" --config "C:\Software\Zabbix Agent\zabbix_agentd.conf"
Zabbix Agent 2 "D:\software\Zabbix Agent 2\zabbix_agent2.exe" -c "D:\software\Zabbix Agent 2\zabbix_agent2.conf" -f=false

# Exploit:

A vulnerability was found in Zabbix Agents on non-default installation directory location. 
The Zabbix Agent executables have incorrect permissions, allowing a local unprivileged user to replace it
with a malicious file that will be executed with "LocalSystem" privileges which will result in complete
compromise of Confidentiality, Integrity and Availability.


# Timeline
Jan 23, 2023 - Reported to Zabbix
Feb 1, 2023  - Zabbix does not consider this a vulnerability
Feb 6, 2023  - Requested official approval to disclose it
Feb 8, 2023  - Zabbix agrees with public disclosure
Feb 13, 2023 - Public disclosure

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum