Generating an email/phising site/etc you can send the end user a link which would require them to login to the fake site. Once they attempt to login you can log them into the zabbix portal via the API and pass the valid session off to the end user, but not before stealing a copy of the now valid cookie. As long as their session remains valid (ie. they don't instantly logout), you can pass the caputred cookie to the login page and become authenticated as the user. Obviously from here you can change the password and more depending on the permissions level. While this may not give you access to servers and systems directly you will be able to view anything that the Zabbix monitor is setup for and depending on your Zabbix configuration remotely execute commands on each agent.
Once you login the following cookie set on your system:
From the image above you can see there is only a single cookie and it is accessible via script. Once your end user has logged in go and visit the URL of the login page to obtain a cookie (a new value for the content field is generated but will be overwritten so it doesn't matter). Replace the content field with the value stolen from the user's cookie:
Once you save the cookie, just refresh the page, and you should be authenticated:
If the user logs out before you have had a chance to conduct the attack it won't work. The cookie is generated based on the sum of the following equation: MD5(username, password, current time). The session is then recorded in a data with the MD5 and changed every time your login/logout/close the browser. There is also a timeout value that you can set to force a session invalid, but it doesn't prevent this attack. Once you are logged in, change the user's password to maintain access.
Game Over.
Disclaimer: So far I have confirmed this works in all version of 1.8.x and 1.9.x of Zabbix. The vendor has also been notified of the issue. One idea would be to use a session ID to validate that only one session at a time can make use of a cookie value.
0 comments:
Post a Comment