Today I was reminded of a little Pen-Test I did last year, which reminded me that I should write why for me that feature seems like a bad idea most of the times.
Zabbix is a popular monitoring solution which is agent based and it has the ability to run remote commands on the agents. While it may be nice to have your monitoring system try and auto restart things, etc. Enabling that feature also has other consequences, that people fail to take into account or just ignore.
Namely that it opens up a whole new nice attack vector to easily gain foothold in your servers. One issue is that usually the monitoring service instances are not that well protected. In a lot of cases the reasoning behind that is that “it’s just monitoring, there nothing sensitive there”. Although I disagree on that part, not going to rant about that. That statement becomes completely wrong as soon as you enable the remote command ability on the agents.
So what harm can come from the remote command feature? Why is it bad? In one of my Pen-test engagements I used it to take over the client’s whole infrastructure. Although it’s “just a monitoring solution”, gaining access to it was enough to compromise all of their servers thanks to the remote command feature. How I got access to their monitoring system is one thing, they had multiple setup failures there, but that’s besides the point. Never have devices with admin access to any system lying around unprotected in your office.. IE monitoring dashboard meant to show your service status in the reception area in your office..
Not to be too technical, but here is a short description of what happened. Basically after having gained access to the monitoring dashboard and noticing it had Zabbix admin privileges I did the following:
* Tested whether remote command execution was enabled on some hosts, that turned out to be YES.
* Using that figured out which of their servers had outbound unrestricted internet access.
* Activated a simple remote shell on the internet capable devices, just to make my life easier
* Found out their systems patch levels via Zabbix and abused a existing sudo vulnerability to gain root privileges
Long story short.. Just think twice about activating that feature and maybe there is some better way to do what You need. Oh yeah and patch your systems, as that sudo vulnerability at that time was already quite old.