cbcvebase.
CVE-2009-4273
published 2010-01-26

CVE-2009-4273: stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.72%
96.8th percentile
stap-server in SystemTap before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in stap command-line arguments in a request.

Affected

36 ranges· showing 25
VendorProductVersion rangeFixed in
debiansystemtap< systemtap 1.2-1 (bookworm)systemtap 1.2-1 (bookworm)
debiansystemtap< systemtap 1.1-1 (bookworm)systemtap 1.1-1 (bookworm)
systemtapsystemtap<= 1.0
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap
systemtapsystemtap

Detection & IOCsextracted from sources · hover to see the quote

commandstap-client \; ...
commandstap-client -; ...
commandstap-client -D 'asdf ; ls /etc' ...
commandstap-client -e 'script' -D 'asdf ; \; '
  • Monitor stap-client invocations for shell metacharacters (semicolons, backslashes) in command-line arguments, particularly in -D and -e parameters, which are the documented injection vectors for CVE-2009-4273.
  • Alert on stap-server network requests containing shell metacharacters in stap command-line arguments, as the server-side bash script does not sanitize inputs from clients.
  • Detect use of the -B (BUILD) option passed to stap-server, which can be abused to inject arbitrary arguments into a make invocation (related incomplete-fix vector CVE-2010-0412 in the stap->make chain).
  • The full injection chain is stap-server -> stap -> make; monitor for unexpected make invocations spawned as children of the stap-server process, especially with attacker-controlled arguments.
  • ·stap-server is an optional network compilation server component; if it is not running or is not exposed to untrusted networks, the attack surface for CVE-2009-4273 does not exist.
  • ·SystemTap 0.6.2 on EL4 does not include server functionality and is therefore unaffected by this vulnerability.
  • ·The fix shipped in SystemTap 1.1 was incomplete; the stap->make injection path remained exploitable and was separately tracked as CVE-2010-0412, requiring additional patches before full remediation.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.