CVE-2009-4502
published 2009-12-31CVE-2009-4502: The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
21.57%
97.3th percentile
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zabbix | < zabbix 1:1.8-1 (bookworm) | zabbix 1:1.8-1 (bookworm) |
| zabbix | zabbix | <= 1.6.6 | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | — | — |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
| zabbix | zabbix | >= 0 < 1:1.8-1 | 1:1.8-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect shell metacharacter injection in Zabbix agent requests: look for net.tcp.listen[] queries containing single-quote and semicolon characters on TCP port 10050. ↗
- →Monitor Zabbix agent (TCP/10050) for responses containing 'ZBX_NOTSUPPORTED' or 'ZBXD' to identify active probing or exploitation attempts. ↗
- →Flag any net.tcp.listen[] request arriving on TCP/10050 that contains shell metacharacters (single quotes, semicolons) as a command injection attempt against CVE-2009-4502. ↗
- →The exploit requires the attacker to originate from or spoof a trusted/authorized Zabbix server IP; correlate unexpected net.tcp.listen[] queries from non-standard or spoofed source IPs. ↗
- ·Vulnerability only affects Zabbix Agent running on FreeBSD or Solaris; Linux/Windows agents are not impacted. Scope detection rules accordingly. ↗
- ·The EnableRemoteCommands=0 setting is bypassed by this vulnerability; disabling remote commands is NOT a sufficient mitigation on affected platforms. ↗
- ·Exploitation is limited to attackers originating from (or spoofing) a trusted IP address as defined in the Zabbix agent configuration file. ↗
- ·Faulty code is specifically in the NET_TCP_LISTEN() function within libs/zbxsysinfo/(freebsd|solaris)/net.c; patched in version 1.6.7. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2009-4502: zabbix - The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running ...
vendor_debian·2009·CVSS 9.3
CVE-2009-4502 [CRITICAL] CVE-2009-4502: zabbix - The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running ...
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.
Scope: local
bookworm: resolved (fixed in 1:1.8-1)
bullseye: resolved (fixed in 1:1.8-1)
forky: resolved (fixed in 1:1.8-1)
sid: resolved (fixed in 1:1.8-1)
trixie: resolved (fixed in 1:1.8-1)
GHSA
GHSA-v6qg-5p9x-9hh9: The NET_TCP_LISTEN function in net
ghsa_unreviewed·2022-05-02
CVE-2009-4502 [HIGH] GHSA-v6qg-5p9x-9hh9: The NET_TCP_LISTEN function in net
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.
OSV
CVE-2009-4502: The NET_TCP_LISTEN function in net
osv·2009-12-31·CVSS 9.3
CVE-2009-4502 [CRITICAL] CVE-2009-4502: The NET_TCP_LISTEN function in net
The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.
No detection rules found.
Exploit-DB
Zabbix Agent - 'net.tcp.listen' Command Injection (Metasploit)
exploitdb·2010-07-03
CVE-2009-4502 Zabbix Agent - 'net.tcp.listen' Command Injection (Metasploit)
Zabbix Agent - 'net.tcp.listen' Command Injection (Metasploit)
---
##
# $Id: zabbix_agent_exec.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Zabbix Agent net.tcp.listen Command Injection',
'Description' => %q{
This module exploits a metacharacter injection vulnerability
in the FreeBSD and Solaris versions of the Zabbix agent. This flaw
can only be exploited if the attacker can hijack the IP address
of an authorized server (as defined in the configuration file).
},
'Author' => [ 'hdm' ],
'License' => MS
Exploit-DB
Zabbix Agent < 1.6.7 - Remote Bypass
exploitdb·2009-12-14
CVE-2009-4502 Zabbix Agent < 1.6.7 - Remote Bypass
Zabbix Agent
Date: Sun, 13 Dec 2009 16:28:30 +0100
From Wikipedia : "Zabbix is a network management system application
[...] designed to monitor and track the status of various network
services, servers, and other network hardware."
[Zabbix Agent : Bypass of EnableRemoteCommands=0]
Impacted software : Zabbix Agent (FreeBSD and Solaris only)
Zabbix reference : https://support.zabbix.com/browse/ZBX-1032
Patched version : 1.6.7
Faulty source code : function NET_TCP_LISTEN() in
libs/zbxsysinfo/(freebsd|solaris)/net.c
Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn xxxxx 10050
Limitation : attacker must come from (or spoof) a trusted IP address
Changelog entry : fixed security vulnerability in processing of
net.tcp.listen under FreeBSD and Solaris agents
Metasploit
Zabbix Agent net.tcp.listen Command Injection
metasploit
Zabbix Agent net.tcp.listen Command Injection
Zabbix Agent net.tcp.listen Command Injection
This module exploits a metacharacter injection vulnerability in the FreeBSD and Solaris versions of the Zabbix agent. This flaw can only be exploited if the attacker can hijack the IP address of an authorized server (as defined in the configuration file).
No writeups or analysis indexed.
http://secunia.com/advisories/37740http://www.securityfocus.com/archive/1/508439http://www.vupen.com/english/advisories/2009/3514https://support.zabbix.com/browse/ZBX-1032http://secunia.com/advisories/37740http://www.securityfocus.com/archive/1/508439http://www.vupen.com/english/advisories/2009/3514https://support.zabbix.com/browse/ZBX-1032
2009-12-31
Published