CVE-2009-4502

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-10431 webapps multiple verified text · 1 KB

Nicob · 2009-12-14

Zabbix Agent < 1.6.7 - Remote Bypass

text exploit Source: Exploit-DB

Zabbix Agent : Bypass of EnableRemoteCommands=0 From: Nicob <nicob () nicob net>
Date: Sun, 13 Dec 2009 16:28:30 +0100

From Wikipedia : "Zabbix is a network management system application

[...] designed to monitor and track the status of various network
services, servers, and other network hardware."

[Zabbix Agent : Bypass of EnableRemoteCommands=0]

Impacted software : Zabbix Agent (FreeBSD and Solaris only)
Zabbix reference : https://support.zabbix.com/browse/ZBX-1032
Patched version : 1.6.7

Faulty source code : function NET_TCP_LISTEN() in
libs/zbxsysinfo/(freebsd|solaris)/net.c

Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn xxxxx 10050
Limitation : attacker must come from (or spoof) a trusted IP address

Changelog entry : fixed security vulnerability in processing of
net.tcp.listen under FreeBSD and Solaris agents

EDB-16918 remote freebsd verified

Metasploit · 2010-07-03

Zabbix Agent - 'net.tcp.listen' Command Injection (Metasploit)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_unix/misc/zabbix_agent_exec rank 600

Zabbix Agent net.tcp.listen Command Injection

Source fetch failed: fetch_error — view the original via the link above.

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1:1.8-1`
sid	Fixed	`1:1.8-1`
forky	Fixed	`1:1.8-1`
bullseye	Fixed	`1:1.8-1`
bookworm	Fixed	`1:1.8-1`

References

https://security-tracker.debian.org/tracker/CVE-2009-4502

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.