Cve-2022-23131 - bypass SAML SSO authentication

Vulnerability description

Security Assertion Markup Language (SAML) Is the most common single sign on (SSO) One of the standards . around XML Realization , It allows identity providers （IdP, An entity that can authenticate users ） Tell the service provider （SP, Here is Zabbix） who are you . You can use Zabbix Web The front end is configured to allow SAML User authentication , But it is not enabled by default , Because it needs to know the details of the identity provider . This is the most common setup for enterprise deployment .

In the activation of SAML SSO On an instance of authentication , It allows you to bypass authentication and gain administrator privileges . An attacker can use this access right on the linked Zabbix Server and Zabbix Agent Execute arbitrary commands on the instance .

scope

Zabbix Web Front end versions include

• 5.4.8
• 5.0.18
• 4.0.36

Vulnerability analysis

And SAML The code related to the authentication mechanism can be found in index_sso.php Find . In short , Its goal is to ：

• Redirect users to IdP;
• After the user is authenticated , Verify incoming SAML Format and signature of the payload . Create a file called saml_data To remember the user's attributes ;
• If there is a session named saml_data The entry of , Then extract its value and username_attribute The value of the Zabbix Authenticate users on .
  index_sso.php

 if (CSessionHelper::has('saml_data')) {
    
       $saml_data = CSessionHelper::get('saml_data');
       CWebUser::$data = API::getApiService('user')->loginByUsername($saml_data['username_attribute'],
           (CAuthenticationHelper::get(CAuthenticationHelper::SAML_CASE_SENSITIVE) == ZBX_AUTH_CASE_SENSITIVE),
           CAuthenticationHelper::get(CAuthenticationHelper::AUTHENTICATION_TYPE)
       );

Exploit

Vulnerability exploitation is simple , Especially because Zabbix Web The front end is automatically configured with a file named Admin High authority users of .

fofa:app="ZABBIX- The monitoring system " && body="saml" 

 Reference video ：https://youtu.be/5dci1i6Fq3M?t=22

Once certified as an administrator on the dashboard , An attacker can attach any Zabbix Server Execute arbitrary commands on , If... Is explicitly allowed in the configuration AllowKey=system.run[*]（ Non default ） , Can be in Zabbix Agents On the implementation .

1、replace [zbx_signed_session] to [cookie]

2、sign in with Single Sign-On (SAML)

Bypass login and enter the background

EXP

Focus on official account back office reply “CVE-2022-23131” obtain