Oct 11, 2024 12:57:32 PM | Adversarial Simulation Take Over Situations: Part 1 – Zabbix Vulnerability

In this blog series, we will be performing a walkthrough of interesting domain takeovers that have occurred during pentest engagements. The first part of this series occurred rather recently during […]

In this blog series, we will be performing a walkthrough of interesting domain takeovers that have occurred during pentest engagements. The first part of this series occurred rather recently during an internal penetration test that wasn’t turning up the results I had expected. During the testing process, I was reviewing screenshots of various web services and came across a login portal I hadn’t seen before. The discovered portal was for Zabbix, which is an open-source monitoring software tool for diverse IT components including networks, servers, virtual machines (VMs), and cloud services.

This is a screenshot of zabbix portal to log in captured by White Oak Security, a testing company.

After some quick Google searching to determine if the service could be configured with some default credentials, I was brought to the following Zabbix resource. This resource revealed that the default credentials for the application are “Admin / Zabbix” (The A in Admin is case sensitive).

Through additional research, I came across the following link in which a user “0x616163” already did some of the exploitation below. Once logged into the Zabbix appliance, we can click on the “Scripts” functionality under the Administration menu. The “Scripts” functionality allows a Zabbix user to execute specific commands on the remote host. The screenshot below shows where the user can create a new script.

The screenshot shows where the user can create a new script in the White Oak Security blog - Take Overs Part 1.

The screenshot below shows the creation of a new script. In this specific test case, I want to execute a simple “whoami” command. I have also selected the Host Group of Domain Controllers.

A screenshot shows the creation of a new script. In this specific test case, White Oak Security wants to execute a simple “whoami” command.

As we can see below the script was successfully created. Now let’s get to executing it.

A successful screenshot of the file, now it's time to execute it.

I then navigated to the menu item “Monitoring” and the sub-item “Latest Data” which gives the user access to sort by specific Host Groups. Sorting by the Host Group set within the script creation process, we can see hostnames of systems within that group. Clicking on the hostname will present the user with additional functionality. In this case – we can execute the recently created script.

Captures how we then u item “Monitoring” and the sub-item “Latest Data” which gives the user the access to sort by specific Host Groups. Sorting by the Host Group set within the script creation process, we can see hostnames of systems within that group. Clicking on the hostname will present the user with additional functionality. In this case – we can execute the recently created script

BAM!

The results from the script are presented to the user. In this case, we are running as NT AUTHORITY\SYSTEM, which is the highest privilege on a Windows machine. At this point, we could re-configure the script to execute a PowerShell command, create a new user (Domain Admin), etc.

Captured the  results from the script are presented to the user. In this case, we are running as NT AUTHORITY\SYSTEM, which is the highest privilege on a Windows machine.

Results

This was one of the easiest domain compromises I have come across due to the high level of functionality within the application only to be protected by publicly available default credentials. Organizations that have implemented Zabbix within their environment should look into the following items to prevent unauthorized script execution:

  • Unless a business need requires it, ensure the script execution functionality remains disabled
  • Change the default password of the Zabbix Admin account
  • Restricting which systems can communicate directly with the Zabbix portal

Following these recommendations as well as common best practices for host web applications, organizations will be more secure and set up for future security success.

 

Written By: Brett DeWall