**官方补丁同期修复漏洞**:[Zabbix 代码执行漏洞](https://www.seebug.org/vuldb/ssvid-93060)
### DETAILS
One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server (or any other Zabbix Proxyís configuration if they know the hostname of that machine). When this occurs, the Zabbix Server pulls varying configuration for the given Zabbix Proxy from its database. While the Zabbix server has hardcoded tables that it looks at when searching for the desired configuration data to send to the proxy, there is no such restriction on what the Zabbix Proxy will apply to it is database.
Thus, if an attacker is able to man in the middle the traffic of a Zabbix Proxy and Zabbix Server, an attacker can insert arbitrary JSON into the configuration response of the Server, and the Zabbix Proxy will apply the configuration without hesitation. This is doubly concerning since the proxy configuration data flows unencrypted over the local network, allowing anyone with network connectivity to the Zabbix Server to utilize this attack.
Since the ìproxy configî request happens at regular intervals from the Proxy to the Server, an attacker can use a proxy server to intercept the traffic and insert arbitrary data into the database, as long as the destination table is a valid table in the Zabbix proxy database.
### CREDIT
Discovered by Lilith Wyatt of Cisco ASIG
### TIMELINE
2017-03-22 - Vendor Disclosure
2017-04-27 - Public Release
暂无评论