Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Zabbix Agent Binaries 7.4 OpenSSL Path Scanner

🗓️ 29 Jan 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 136 Views

Static analysis of Zabbix Agent binaries reveals hardcoded OpenSSL paths and tests exploitability.

Related
Code
ReporterTitlePublishedViews
Family
AlpineLinux		CVE-2025-27237
3 Oct 202512:15
alpinelinux
Circl		CVE-2025-27237
6 Oct 202506:48
circl
CNNVD		Zabbix Agent 安全漏洞
3 Oct 202500:00
cnnvd
CVE		CVE-2025-27237
3 Oct 202511:28
cve
Cvelist		CVE-2025-27237 DLL injection in Zabbix Agent and Agent 2 via OpenSSL configuration
3 Oct 202511:28
cvelist
Debian CVE		CVE-2025-27237
3 Oct 202511:28
debiancve
GithubExploit		Exploit for CVE-2025-27237
26 Jan 202616:31
githubexploit
EUVD		EUVD-2025-32239
3 Oct 202511:28
euvd
NVD		CVE-2025-27237
3 Oct 202512:15
nvd
Packet Storm News		Zabbix Agent Binaries Path Abuse Scanner
6 Feb 202600:00
packetstormnews
Rows per page
=============================================================================================================================================
    | # Title     : Zabbix Agent Binaries 7.4 for Hardcoded OpenSSL Paths and Potential Provider Abuse                                          |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.zabbix.com/download_agents                                                                                      |
    =============================================================================================================================================
    
    [+] References : 
    
    [+] Summary    :  This tool performs static analysis on Zabbix Agent binaries to identify hardcoded OpenSSL paths such as OPENSSLDIR, ENGINESDIR, and MODULESDIR.
                      It leverages strings and radare2 to extract embedded configuration paths, OpenSSL version information, 
    				  and indicators of dynamic engine or module loading (e.g., CONF_modules_load, ENGINE_by_id, dynamic_path).
                      Based on the extracted data, the script evaluates the potential exploitability of the binary by determining whether 
    				  the OpenSSL configuration directory may be user-writable, which could allow malicious provider or engine injection via a crafted openssl.cnf.
                      The output includes both human-readable analysis and structured JSON results, making the tool suitable for vulnerability research, C
    				  VE validation, and large-scale binary auditing.
    
    [+] POC :
    
    #!/usr/bin/env python3
    
    import subprocess
    import sys
    import re
    import json
    from pathlib import Path
    
    
    def safe_run(cmd, timeout):
        try:
            proc = subprocess.run(
                cmd,
                capture_output=True,
                text=True,
                timeout=timeout
            )
            if proc.returncode != 0:
                return ""
            return proc.stdout
        except Exception:
            return ""
    
    
    def extract_with_strings(binary_path: str) -> dict:
        result = {
            "binary": binary_path,
            "openssl_version": None,
            "openssldir": None,
            "enginesdir": None,
            "modulesdir": None,
            "has_conf_modules_load": False,
            "has_engine_by_id": False,
            "has_dynamic_path": False,
        }
    
        output = safe_run(["strings", binary_path], 60)
    
        if not output:
            return result
    
        version_match = re.search(r'OpenSSL\s+(\d+\.\d+\.\d+[^\s]*)', output)
        if version_match:
            result["openssl_version"] = version_match.group(1)
    
        for key in ("OPENSSLDIR", "ENGINESDIR", "MODULESDIR"):
            m = re.search(rf'{key}:\s*"([^"]+)"', output)
            if m:
                result[key.lower()] = m.group(1)
    
        result["has_conf_modules_load"] = "CONF_modules_load" in output
        result["has_engine_by_id"] = "ENGINE_by_id" in output
        result["has_dynamic_path"] = "dynamic_path" in output
    
        return result
    
    
    def extract_with_r2(binary_path: str) -> dict:
        result = {
            "binary": binary_path,
            "openssl_version": None,
            "openssldir": None,
            "openssldir_offset": None,
            "enginesdir": None,
            "enginesdir_offset": None,
            "modulesdir": None,
            "modulesdir_offset": None,
        }
    
        def parse_izz(keyword):
            out = safe_run(["r2", "-q", "-c", f"izz~{keyword}", binary_path], 120)
            for line in out.splitlines():
                if keyword in line:
                    m = re.search(r'0x([0-9a-fA-F]+)\s+0x([0-9a-fA-F]+).*?(".*")', line)
                    if m:
                        return m.group(2), m.group(3)
            return None, None
    
        off, val = parse_izz("OPENSSLDIR")
        if val:
            result["openssldir_offset"] = f"0x{off}"
            d = re.search(r'"([^"]+)"', val)
            if d:
                result["openssldir"] = d.group(1)
    
        off, val = parse_izz("ENGINESDIR")
        if val:
            result["enginesdir_offset"] = f"0x{off}"
            d = re.search(r'"([^"]+)"', val)
            if d:
                result["enginesdir"] = d.group(1)
    
        off, val = parse_izz("MODULESDIR")
        if val:
            result["modulesdir_offset"] = f"0x{off}"
            d = re.search(r'"([^"]+)"', val)
            if d:
                result["modulesdir"] = d.group(1)
    
        ver = safe_run(["r2", "-q", "-c", "izz~OpenSSL", binary_path], 120)
        m = re.search(r'OpenSSL\s+(\d+\.\d+\.\d+[^\s"]*)', ver)
        if m:
            result["openssl_version"] = m.group(1)
    
        return result
    
    def analyze_vulnerability(result: dict) -> dict:
        vuln = {
            "vulnerable": False,
            "exploitability": "unknown",
            "openssl_cnf_path": None,
            "engine_dll_path": None,
            "notes": []
        }
        openssldir = result.get("openssldir")
        enginesdir = result.get("enginesdir")
    
        if not openssldir:
            vuln["notes"].append("OPENSSLDIR not found")
            return vuln
    
        vuln["openssl_cnf_path"] = openssldir.rstrip("/\\") + "/openssl.cnf"
        vuln["engine_dll_path"] = enginesdir
    
        path = openssldir.lower()
    
        user_writable_hint = any(x in path for x in ("vcpkg", "users", "home", "usr\\local", "usr/local"))
    
        if user_writable_hint and result.get("has_conf_modules_load"):
            vuln["vulnerable"] = True
            vuln["exploitability"] = "potentially_user_writable"
            vuln["notes"].append("Writable-looking OPENSSLDIR with module loading enabled")
    
        if result.get("has_engine_by_id"):
            vuln["notes"].append("ENGINE_by_id present (engine loading supported)")
    
        if "program files" in path:
            vuln["exploitability"] = "requires_admin"
            vuln["notes"].append("Protected directory (Program Files)")
    
        return vuln
    
    
    def main():
        if len(sys.argv) < 2:
            print(f"Usage: {sys.argv[0]} <binary> [...]")
            sys.exit(1)
    
        results = []
    
        for binary in sys.argv[1:]:
            if not Path(binary).exists():
                print(f"File not found: {binary}", file=sys.stderr)
                continue
    
            r2 = extract_with_r2(binary)
            s = extract_with_strings(binary)
    
            for k in ("openssl_version", "openssldir", "enginesdir", "modulesdir"):
                if not r2.get(k):
                    r2[k] = s.get(k)
    
            r2.update({
                "has_conf_modules_load": s["has_conf_modules_load"],
                "has_engine_by_id": s["has_engine_by_id"],
                "has_dynamic_path": s["has_dynamic_path"],
            })
    
            r2["vulnerability"] = analyze_vulnerability(r2)
            results.append(r2)
    
            print(json.dumps(r2, indent=2))
    
        print("\n--- JSON Output ---")
        print(json.dumps(results, indent=2))
    
    
    if __name__ == "__main__":
        main()
    
    
    	
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jan 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 47.3
EPSS0.00011
SSVC
Zabbix agentOpenSSL pathsHardcoded pathsOpenSSL versionDynamic engine loadOpenSSL configurationBinary auditingVulnerability research
136