This module authenticates to the Zabbix JSON-RPC API with the supplied account, discovers the remote API version, and attempts SQLi-based administrator session extraction through CUser::addRelatedObjects(), reachable from the user.get method. CVE-2024-42327 does not require an administrator account. A non-admin user with the default User role, or any role with API access, can reach the vulnerable user.get API path. The affected Zabbix application versions are 6.0.x before 6.0.32rc1, 6.4.x before 6.4.17rc1, and 7.0.x before 7.0.1rc1. When SQLi session extraction succeeds, the module uses the extracted session to check whether Zabbix system.run is enabled and installs a Core Impact agent only if system.run is enabled. The module performs the following steps: 1. Discovers a reachable Zabbix JSON-RPC API endpoint and reads the remote version. 2. Authenticates with the supplied Zabbix credentials. 3. Checks whether the detected version is within the publicly affected CVE-2024-42327 ranges. 4. Attempts to extract an administrator session through SQLi-based timing checks. 5. Commits CVE-2024-42327 when administrator session extraction succeeds. 6. Uses the extracted session to resolve the target host and interface context. 7. Checks whether Zabbix system.run is enabled on the target Zabbix agent. 8. installs a Core Impact agent through system.run only when that capability is available. 9. Removes temporary Zabbix items created during probing or deployment.
CVE Link
Exploit Platform
Product Name