CVE-2009-3233

changetrack 4.3 - OS Command Injection via Filename with CRLF and Shell Metacharacters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3233. PoCs published by Rick.

AI-analyzed exploit summary This exploit demonstrates a local privilege escalation vulnerability in Changetrack due to improper escaping of filenames. By creating a maliciously named file, an attacker can execute arbitrary shell commands with root privileges when Changetrack processes the directory.

Description

changetrack 4.3 allows local users to execute arbitrary commands via CRLF sequences and shell metacharacters in a filename in a directory that is checked by changetrack.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Rick · textlocallinux
https://www.exploit-db.com/exploits/9709

This exploit demonstrates a local privilege escalation vulnerability in Changetrack due to improper escaping of filenames. By creating a maliciously named file, an attacker can execute arbitrary shell commands with root privileges when Changetrack processes the directory.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Changetrack (version not specified)
No auth needed
Prerequisites: Write access to a directory monitored by Changetrack
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/09/16/3
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36420
Exploit, Patch x_refsource_confirm
http://bugs.debian.org/546791
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36756

Scores

EPSS 0.0023
EPSS Percentile 45.2%

Details

CWE
CWE-78
Status published
Products (1)
cameron_morland/changetrack 4.3
Published Sep 17, 2009
Tracked Since Feb 18, 2026