cbcvebase.
CVE-2009-0546
published 2009-02-12

CVE-2009-0546: Stack-based buffer overflow in NewsGator FeedDemon 2.7 and earlier allows user-assisted remote attackers to execute arbitrary code via a long text attribute in…

PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.51%
98.3th percentile
Stack-based buffer overflow in NewsGator FeedDemon 2.7 and earlier allows user-assisted remote attackers to execute arbitrary code via a long text attribute in an outline element in a .opml file.

Affected

5 ranges
VendorProductVersion rangeFixed in
newsgatorfeeddemon<= 2.7
newsgatorfeeddemon
newsgatorfeeddemon
newsgatorfeeddemon
newsgatorfeeddemon

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.opml
filenamefeeddemonexploit.opml
registry0x00501655
bytes
\xff\xfe (UCS-2LE BOM prefix in malicious OPML file)
  • The exploit triggers via import of a specially crafted .opml file containing an oversized 'text' attribute in an <outline> element. Monitor FeedDemon for file-import operations involving .opml files with abnormally long 'text' attribute values (e.g., 30000+ bytes).
  • The Metasploit module uses an SEH-based exploitation technique with a pop/pop/ret gadget at 0x00501655 in FeedDemon.exe v3.1.0.12. Detection of SEH chain overwrites in FeedDemon process memory is a strong indicator of exploitation.
  • The Metasploit module uses AlphanumMixed encoder with ECX as the BufferRegister. Payloads in memory will begin with 'IIIII...' alphanumeric patterns. Scanning FeedDemon process memory for large alphanumeric NOP sleds following OPML import can indicate exploitation.
  • Malicious OPML files crafted for this exploit are encoded in UCS-2LE (Unicode) and begin with the byte sequence 0xFF 0xFE. Inspect .opml files opened by FeedDemon for this BOM combined with oversized outline text attributes.
  • The exploit payload bad characters include: 0x0a, 0xd8–0xdf, 0xff. Payloads will avoid these bytes; use this constraint when writing byte-pattern signatures for shellcode detection in FeedDemon process memory.
  • The PoC uses a buffer of 30000 'D' characters (0x44) as the malicious text attribute value. A signature matching an outline element with a text attribute containing thousands of repeated bytes in an OPML file is a reliable detection point.
  • ·All FeedDemon versions are suspected vulnerable, not just 2.7. The Metasploit module was tested and confirmed working against v3.1.0.12, well beyond the originally reported version.
  • ·The Metasploit module's payload space is limited to 1024 bytes and NOP generation is disabled (DisableNops: true). Payload delivery relies entirely on the AlphanumMixed encoder; standard shellcode detection signatures may not match.
  • ·The standalone exploit (11379) dynamically searches process memory for a CALL/JMP ESP gadget at runtime rather than using a hardcoded return address, making static ROP-gadget-based detection unreliable for that variant.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.