CVE-2016-10134
published 2017-02-17CVE-2016-10134: SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array…
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
83.28%
99.6th percentile
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:3.0.4+dfsg-1 (bookworm) | zabbix 1:3.0.4+dfsg-1 (bookworm) |
| zabbix | zabbix | <= 2.2.13 | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:3.0.4+dfsg-1 | 1:3.0.4+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:3.0.4+dfsg-1 | 1:3.0.4+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:3.0.4+dfsg-1 | 1:3.0.4+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:3.0.4+dfsg-1 | 1:3.0.4+dfsg-1 |
| zabbix | zabbix | >= 0 < 1:2.2.2+dfsg-1ubuntu1+esm4 | 1:2.2.2+dfsg-1ubuntu1+esm4 |
| zabbix | zabbix | >= 0 < 1:2.4.7+dfsg-2ubuntu2.1+esm3 | 1:2.4.7+dfsg-2ubuntu2.1+esm3 |
| zabbix | zabbix | >= 0 < 1:3.0.12+dfsg-1ubuntu0.1~esm3 | 1:3.0.12+dfsg-1ubuntu0.1~esm3 |
| zabbix | zabbix | >= 0 < 1:4.0.17+dfsg-1ubuntu0.1~esm1 | 1:4.0.17+dfsg-1ubuntu0.1~esm1 |
Detection & IOCsextracted from sources · hover to see the quote
url/jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,user()),0)::↗
- →Exploit payload uses updatexml() with concat() to trigger error-based SQL injection via the profileIdx2 parameter in jsrpc.php ↗
- →Shodan query to identify exposed Zabbix instances by favicon hash ↗
- →Shodan query to identify exposed Zabbix server instances by title ↗
- →Metasploit auxiliary module exploits the toggle_ids SQL injection to extract usernames and password hashes from the Zabbix database to a JSON file ↗
- ·Vulnerability affects Zabbix versions before 2.2.14 and 3.0.x before 3.0.4; the jsrpc.php attack vector targets the profileIdx2 parameter specifically ↗
- ·Metasploit module targets Zabbix 3.0.3 specifically but likely affects prior versions as well ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
zabbix vulnerabilities
osv·2022-06-15·CVSS 9.8
CVE-2020-11800 [CRITICAL] zabbix vulnerabilities
zabbix vulnerabilities
Fu Chuang discovered that Zabbix did not properly parse IPs. A remote
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2020-11800)
It was discovered that Zabbix incorrectly handled certain requests. A
remote attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
(CVE-2017-2824, CVE-2017-2825)
It was discovered that Zabbix incorrectly handled certain XML files. A
remote attacker could possibly use this issue to read arbitrary files or
potentially execute arbitrary code. This issue only affected
Ubuntu 14.04 ESM. (CVE-2014-3005)
It was discovered that Zabbix incorrectly handled certain inp
GHSA
GHSA-q33m-pmcq-844x: SQL injection vulnerability in Zabbix before 2
ghsa_unreviewed·2022-05-17
CVE-2016-10134 [CRITICAL] CWE-89 GHSA-q33m-pmcq-844x: SQL injection vulnerability in Zabbix before 2
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
OSV
CVE-2016-10134: SQL injection vulnerability in Zabbix before 2
osv·2017-02-17·CVSS 9.8
CVE-2016-10134 [CRITICAL] CVE-2016-10134: SQL injection vulnerability in Zabbix before 2
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
Ubuntu
Zabbix vulnerabilities
vendor_ubuntu·2022-06-15·CVSS 9.8
CVE-2016-10742 [CRITICAL] Zabbix vulnerabilities
Title: Zabbix vulnerabilities
Summary: Several security issues were fixed in Zabbix.
Fu Chuang discovered that Zabbix did not properly parse IPs. A remote
attacker could possibly use this issue to execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 ESM.
(CVE-2020-11800)
It was discovered that Zabbix incorrectly handled certain requests. A
remote attacker could possibly use this issue to execute arbitrary code.
This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
(CVE-2017-2824, CVE-2017-2825)
It was discovered that Zabbix incorrectly handled certain XML files. A
remote attacker could possibly use this issue to read arbitrary files or
potentially execute arbitrary code. This issue only affected
Ubuntu 14.04 ESM. (CVE-2014-3005)
Debian
CVE-2016-10134: zabbix - SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows ...
vendor_debian·2016·CVSS 9.8
CVE-2016-10134 [CRITICAL] CVE-2016-10134: zabbix - SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows ...
SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php.
Scope: local
bookworm: resolved (fixed in 1:3.0.4+dfsg-1)
bullseye: resolved (fixed in 1:3.0.4+dfsg-1)
forky: resolved (fixed in 1:3.0.4+dfsg-1)
sid: resolved (fixed in 1:3.0.4+dfsg-1)
trixie: resolved (fixed in 1:3.0.4+dfsg-1)
No detection rules found.
Nuclei
Zabbix - SQL Injection
nuclei·CVSS 9.8
CVE-2016-10134 [CRITICAL] Zabbix - SQL Injection
Zabbix - SQL Injection
Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.
Template:
id: CVE-2016-10134
info:
name: Zabbix - SQL Injection
author: princechaddha
severity: critical
description: Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php and perform SQL injection attacks.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the Zabbix application and underlying systems.
remediation: |
Apply the latest security patches or upgrade to a patched version of Zabbix to mitigate the
Metasploit
Zabbix toggle_ids SQL Injection
metasploit
Zabbix toggle_ids SQL Injection
Zabbix toggle_ids SQL Injection
This module will exploit a SQL injection in Zabbix 3.0.3 and likely prior in order to save the current usernames and password hashes from the database to a JSON file.
http://www.debian.org/security/2017/dsa-3802http://www.openwall.com/lists/oss-security/2017/01/12/4http://www.openwall.com/lists/oss-security/2017/01/13/4http://www.securityfocus.com/bid/95423https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936https://code610.blogspot.com/2017/10/zbx-11023-quick-autopsy.htmlhttps://support.zabbix.com/browse/ZBX-11023http://www.debian.org/security/2017/dsa-3802http://www.openwall.com/lists/oss-security/2017/01/12/4http://www.openwall.com/lists/oss-security/2017/01/13/4http://www.securityfocus.com/bid/95423https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850936https://code610.blogspot.com/2017/10/zbx-11023-quick-autopsy.htmlhttps://support.zabbix.com/browse/ZBX-11023
2017-02-17
Published