Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582536 (CVE-2016-4338)

Summary: <net-analyzer/zabbix-{2.2.13,3.0.3}: mysql.size shell command injection
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: alicef, mattm, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-05-09 10:05:36 UTC
From ${URL} :

CVE-2016-4338: Zabbix Agent 3.0.1 mysql.size shell command injection

Affected products

At least Zabbix Agent 1:3.0.1-1+wheezy from is vulnerable. Other versions
were not tested.


"Zabbix agent is deployed on a monitoring target to actively monitor
 local resources and applications (hard drives, memory, processor
 statistics etc).

 The agent gathers operational information locally and reports data to
 Zabbix server for further processing. In case of failures (such as a
 hard disk running full or a crashed service process), Zabbix server
 can actively alert the administrators of the particular machine that
 reported the failure.

 Zabbix agents are extremely efficient because of use of native system
 calls for gathering statistical information."



Zabbix agent listens on port 10050 for connections from the Zabbix
server. The commands can be built-in or user-defined.

The mysql.size user parameter defined in
/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf takes three input
parameters and uses a shell script to generate an SQL query:

UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where 
table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N

The code assumes that /bin/sh is bash that supports the [[ compound
command. However, if /bin/sh is for example dash the statement

[[ "$1" = "all" || ! "$1" ]]

ends up executing the command "$1" with the argument "]]".


Zabbix sanitizes the input and blocks many dangerous characters
("\\'\"`*?[]{}~$!&;()<>|#@...). Since we cannot use quotes we cannot
give our shell commands any parameters which significantly reduces the
impact of this vulnerability. If you find a way to execute arbitrary
commands using this flaw I'd be really interested in the details. The
following proof-of-concept shows how the vulnerability can be used
escalate privileges locally:

$ echo -en '#!/bin/bash\necho "This code is running as $(id)" 1>&2\n' > /tmp/owned
$ chmod a+rx /tmp/owned
$ echo 'mysql.size[/tmp/owned,all,both]' | nc localhost 10050 | cat -A
ZBXD^AM-^O^@...@...@...@... 1: [[: not found$
This code is running as uid=110(zabbix) gid=114(zabbix) groups=114(zabbix)$
sh: 1: [[: not found$
sh: 1: all: not found$

The exploit of course assumes that the Server line in the
configuration includes "". If the agent is configured to
accept connections only from the Zabbix server. In that case this
issue can only be exploited from the server or by spoofing the IP
address of the server (with for example ARP spoofing).

Since output of the command is piped to mysql it might be possible to
also execute some SQL commands in the database.


This issue was discovered by Timo Lindfors from Nixu Corporation.


2016-04-19: Issue discovered and reported internally for verification.
2016-04-21: Issue reported to vendor.
2016-04-22: Vendor acknowledges vulnerability and starts patching.
2016-04-26: Asked status update from vendor.
2016-04-26: Vendor responds that the issue is still being patched.
2016-04-26: CVE requested from MITRE.
2016-04-28: MITRE assigned CVE-2016-4338 for this vulnerability.
2016-05-02: Vendor published details in the issue tracker

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev Security 2016-11-18 21:30:07 UTC
The first fixed 2.2.x version is v2.2.13 which already landed in the repository:

The first fixed 3.0.x version is v3.0.3 which already landed in the repository:

@ Maintainer(s): Please tell us how to proceed. Which v2.x and which v3.x version can be stabilized?
Comment 2 Thomas Deutschmann gentoo-dev Security 2016-12-03 13:43:44 UTC
All done. =net-analyzer/zabbix-2.2.15 is the current stable version in tree, no vulnerable version left.

New GLSA created.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 11:42:39 UTC
This issue was resolved and addressed in
 GLSA 201612-42 at
by GLSA coordinator Aaron Bauman (b-man).