From 076f7bee2c42d819a98c5ae3b407183b616a7074 Mon Sep 17 00:00:00 2001 From: Alexey Pustovalov Date: Wed, 2 Oct 2024 00:35:21 +0900 Subject: [PATCH] Fixed possible injection of traps in trap receiver --- .../alpine/conf/usr/sbin/zabbix_trap_handler.sh | 15 +++++++++++++++ .../centos/conf/usr/sbin/zabbix_trap_handler.sh | 15 +++++++++++++++ .../ol/conf/usr/sbin/zabbix_trap_handler.sh | 15 +++++++++++++++ .../rhel/conf/usr/sbin/zabbix_trap_handler.sh | 15 +++++++++++++++ .../ubuntu/conf/usr/sbin/zabbix_trap_handler.sh | 15 +++++++++++++++ 5 files changed, 75 insertions(+) diff --git a/Dockerfiles/snmptraps/alpine/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/alpine/conf/usr/sbin/zabbix_trap_handler.sh index b3f317e08..8759a8cec 100644 --- a/Dockerfiles/snmptraps/alpine/conf/usr/sbin/zabbix_trap_handler.sh +++ b/Dockerfiles/snmptraps/alpine/conf/usr/sbin/zabbix_trap_handler.sh @@ -44,4 +44,19 @@ done [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host +# Header in Zabbix format shouldn't exist anywhere in vars, it is injection +# Must exit with 0 +date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \ + -e 's/%Y/[0-9]\{4\}/g' \ + -e 's/%m/[0-9]\{2\}/g' \ + -e 's/%d/[0-9]\{2\}/g' \ + -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \ + -e 's/%z/[\+\-][0-9]\{4\}/g' \ + -e 's/%H/[0-9]\{2\}/g' \ + -e 's/%M/[0-9]\{2\}/g' \ + -e 's/%S/[0-9]\{2\}/g') + +zbx_trap_regex="$date_regex ZBXTRAP" +echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0 + echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE diff --git a/Dockerfiles/snmptraps/centos/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/centos/conf/usr/sbin/zabbix_trap_handler.sh index b3f317e08..8759a8cec 100644 --- a/Dockerfiles/snmptraps/centos/conf/usr/sbin/zabbix_trap_handler.sh +++ b/Dockerfiles/snmptraps/centos/conf/usr/sbin/zabbix_trap_handler.sh @@ -44,4 +44,19 @@ done [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host +# Header in Zabbix format shouldn't exist anywhere in vars, it is injection +# Must exit with 0 +date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \ + -e 's/%Y/[0-9]\{4\}/g' \ + -e 's/%m/[0-9]\{2\}/g' \ + -e 's/%d/[0-9]\{2\}/g' \ + -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \ + -e 's/%z/[\+\-][0-9]\{4\}/g' \ + -e 's/%H/[0-9]\{2\}/g' \ + -e 's/%M/[0-9]\{2\}/g' \ + -e 's/%S/[0-9]\{2\}/g') + +zbx_trap_regex="$date_regex ZBXTRAP" +echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0 + echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE diff --git a/Dockerfiles/snmptraps/ol/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/ol/conf/usr/sbin/zabbix_trap_handler.sh index b3f317e08..8759a8cec 100644 --- a/Dockerfiles/snmptraps/ol/conf/usr/sbin/zabbix_trap_handler.sh +++ b/Dockerfiles/snmptraps/ol/conf/usr/sbin/zabbix_trap_handler.sh @@ -44,4 +44,19 @@ done [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host +# Header in Zabbix format shouldn't exist anywhere in vars, it is injection +# Must exit with 0 +date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \ + -e 's/%Y/[0-9]\{4\}/g' \ + -e 's/%m/[0-9]\{2\}/g' \ + -e 's/%d/[0-9]\{2\}/g' \ + -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \ + -e 's/%z/[\+\-][0-9]\{4\}/g' \ + -e 's/%H/[0-9]\{2\}/g' \ + -e 's/%M/[0-9]\{2\}/g' \ + -e 's/%S/[0-9]\{2\}/g') + +zbx_trap_regex="$date_regex ZBXTRAP" +echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0 + echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE diff --git a/Dockerfiles/snmptraps/rhel/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/rhel/conf/usr/sbin/zabbix_trap_handler.sh index b3f317e08..8759a8cec 100644 --- a/Dockerfiles/snmptraps/rhel/conf/usr/sbin/zabbix_trap_handler.sh +++ b/Dockerfiles/snmptraps/rhel/conf/usr/sbin/zabbix_trap_handler.sh @@ -44,4 +44,19 @@ done [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host +# Header in Zabbix format shouldn't exist anywhere in vars, it is injection +# Must exit with 0 +date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \ + -e 's/%Y/[0-9]\{4\}/g' \ + -e 's/%m/[0-9]\{2\}/g' \ + -e 's/%d/[0-9]\{2\}/g' \ + -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \ + -e 's/%z/[\+\-][0-9]\{4\}/g' \ + -e 's/%H/[0-9]\{2\}/g' \ + -e 's/%M/[0-9]\{2\}/g' \ + -e 's/%S/[0-9]\{2\}/g') + +zbx_trap_regex="$date_regex ZBXTRAP" +echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0 + echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE diff --git a/Dockerfiles/snmptraps/ubuntu/conf/usr/sbin/zabbix_trap_handler.sh b/Dockerfiles/snmptraps/ubuntu/conf/usr/sbin/zabbix_trap_handler.sh index b3f317e08..8759a8cec 100644 --- a/Dockerfiles/snmptraps/ubuntu/conf/usr/sbin/zabbix_trap_handler.sh +++ b/Dockerfiles/snmptraps/ubuntu/conf/usr/sbin/zabbix_trap_handler.sh @@ -44,4 +44,19 @@ done [[ "$ZBX_SNMP_TRAP_USE_DNS" == "true" ]] && ! [[ ${host} =~ \[(.*?)\].*\-\> ]] && sender_addr=$host +# Header in Zabbix format shouldn't exist anywhere in vars, it is injection +# Must exit with 0 +date_regex=$(echo "$ZBX_SNMP_TRAP_DATE_FORMAT" | sed -e 's/^+//g' \ + -e 's/%Y/[0-9]\{4\}/g' \ + -e 's/%m/[0-9]\{2\}/g' \ + -e 's/%d/[0-9]\{2\}/g' \ + -e 's/%T/[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}/g' \ + -e 's/%z/[\+\-][0-9]\{4\}/g' \ + -e 's/%H/[0-9]\{2\}/g' \ + -e 's/%M/[0-9]\{2\}/g' \ + -e 's/%S/[0-9]\{2\}/g') + +zbx_trap_regex="$date_regex ZBXTRAP" +echo "$vars" | grep -qE "$zbx_trap_regex" && exit 0 + echo -e "$date ZBXTRAP $sender_addr$ZBX_SNMP_TRAP_FORMAT$sender$ZBX_SNMP_TRAP_FORMAT$vars" >> $ZABBIX_TRAPS_FILE