CVE-2009-0546
published 2009-02-12CVE-2009-0546: Stack-based buffer overflow in NewsGator FeedDemon 2.7 and earlier allows user-assisted remote attackers to execute arbitrary code via a long text attribute in…
PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.51%
98.3th percentile
Stack-based buffer overflow in NewsGator FeedDemon 2.7 and earlier allows user-assisted remote attackers to execute arbitrary code via a long text attribute in an outline element in a .opml file.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| newsgator | feeddemon | <= 2.7 | — |
| newsgator | feeddemon | — | — |
| newsgator | feeddemon | — | — |
| newsgator | feeddemon | — | — |
| newsgator | feeddemon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xfe (UCS-2LE BOM prefix in malicious OPML file)
- →The exploit triggers via import of a specially crafted .opml file containing an oversized 'text' attribute in an <outline> element. Monitor FeedDemon for file-import operations involving .opml files with abnormally long 'text' attribute values (e.g., 30000+ bytes). ↗
- →The Metasploit module uses an SEH-based exploitation technique with a pop/pop/ret gadget at 0x00501655 in FeedDemon.exe v3.1.0.12. Detection of SEH chain overwrites in FeedDemon process memory is a strong indicator of exploitation. ↗
- →The Metasploit module uses AlphanumMixed encoder with ECX as the BufferRegister. Payloads in memory will begin with 'IIIII...' alphanumeric patterns. Scanning FeedDemon process memory for large alphanumeric NOP sleds following OPML import can indicate exploitation. ↗
- →Malicious OPML files crafted for this exploit are encoded in UCS-2LE (Unicode) and begin with the byte sequence 0xFF 0xFE. Inspect .opml files opened by FeedDemon for this BOM combined with oversized outline text attributes. ↗
- →The exploit payload bad characters include: 0x0a, 0xd8–0xdf, 0xff. Payloads will avoid these bytes; use this constraint when writing byte-pattern signatures for shellcode detection in FeedDemon process memory. ↗
- →The PoC uses a buffer of 30000 'D' characters (0x44) as the malicious text attribute value. A signature matching an outline element with a text attribute containing thousands of repeated bytes in an OPML file is a reliable detection point. ↗
- ·All FeedDemon versions are suspected vulnerable, not just 2.7. The Metasploit module was tested and confirmed working against v3.1.0.12, well beyond the originally reported version. ↗
- ·The Metasploit module's payload space is limited to 1024 bytes and NOP generation is disabled (DisableNops: true). Payload delivery relies entirely on the AlphanumMixed encoder; standard shellcode detection signatures may not match. ↗
- ·The standalone exploit (11379) dynamically searches process memory for a CALL/JMP ESP gadget at runtime rather than using a hardcoded return address, making static ROP-gadget-based detection unreliable for that variant. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
feedDemon 3.1.0.12 - Local Stack Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-0546 feedDemon 3.1.0.12 - Local Stack Buffer Overflow (Metasploit)
feedDemon 3.1.0.12 - Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: feeddemon_opml.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FeedDemon %q{
This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application
is used to import a specially crafted opml file, a buffer overflow occurs allowing
arbitrary code execution.
All versions are suspected to be vulnerable. This vulnerability was originally reported
against version 2.7 in February of 2009.
},
'License' => MSF_LICENSE,
'Au
Exploit-DB
feedDemon 3.1.0.9 - '.opml' File Buffer Overflow
exploitdb·2010-02-09
CVE-2009-0546 feedDemon 3.1.0.9 - '.opml' File Buffer Overflow
feedDemon 3.1.0.9 - '.opml' File Buffer Overflow
---
/*Download latest vuln app :http://www.newsgator.com/Individuals/FeedDemon/Default.aspx
This exploit identifies your OS and searches in memory for a RETCODE thus working 100%.*/
#include
#include
#include
#include
void banner();
void exploit(char*);
void print(char*);
unsigned int getFsize(FILE*,char*);
int cpy(char*,char*);
void gen_random(char*,const int);
DWORD FindRetToEspAddress(VOID);
DWORD SearchStream(const char*,size_t,const char*,size_t);
DWORD GetNtosDelta (VOID);
DWORD GetOSVersion (VOID);
#define VULNF "test.opml"
#define VER "3.1.0.9"
#define POCNAME "feedDemon opml file buffer overflow exploit"
#define AUTHOR "fl0 fl0w"
#define IF(x,NULL) if(x==NULL)
#define FOR(i,a,b) for(i=a;i2)
// while(c=getopt()!=EOF) ......
// else
Exploit-DB
feedDemon 2.7 - OPML Outline Tag Buffer Overflow
exploitdb·2009-02-09
CVE-2009-0546 feedDemon 2.7 - OPML Outline Tag Buffer Overflow
feedDemon 2.7 - OPML Outline Tag Buffer Overflow
---
#!/usr/local/bin/perl
#-----------------------------------------------------------------------------
# FeedDemon version 2.7.0.0 Buffer overFlow
# Reference:
# http://security.bkis.vn/?p=329
# https://www.securityfocus.com/bid/33630/info
# http://secunia.com/advisories/33718/
# Tested in Windows XP Sp2 (English)
# Created by cenjan ([email protected])
# Description: + This code generates a opml file (feeddemonexploit.opml)
# + Import that file by the Import Feed function of Feed Demon
# + The calc.exe will execute
#-----------------------------------------------------------------------------
my $head='';
open (f,'>feeddemonexploit.opml');
print f "\xff\xfe";
close(f);
open (f,'>>:encoding(ucs-2le)','feeddemonexploit.opml');
print f $
Exploit-DB
FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)
exploitdb·2009-02-05
CVE-2009-0546 FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)
FeedMon 2.7.0.0 - outline Tag Buffer Overflow (PoC)
---
#!usr/bin/perl -w
################################################################################
# Reference:
# http://security.bkis.vn/?p=329
# https://www.securityfocus.com/bid/33630/info
#
# Tested on Windows Server 2003 with FeedMon 2.7.0.0. FeedMon crashes
# whenever I am trying to Unsubscribe from the malicious(overlylong) feed.
#
# Thanx to milw0rm, str0ke, security.bkis, @rp m@n, evilfingers
# and all security researchers.
#
#$$$$$ This was strictly written for educational purpose. Use it at
#$$$$$ your own risk. Author will not bare any responsibility for any
#$$$$$ damages watsoever.
#
#####MOST OF THE CODE I GOT FROM###############################################
#####http://search.cpan.org/~madghoul/XML-OPML-0.26/OPML
Metasploit
FeedDemon Stack Buffer Overflow
metasploit
FeedDemon Stack Buffer Overflow
FeedDemon Stack Buffer Overflow
This module exploits a buffer overflow in FeedDemon v3.1.0.12. When the application is used to import a specially crafted opml file, a buffer overflow occurs allowing arbitrary code execution. All versions are suspected to be vulnerable. This vulnerability was originally reported against version 2.7 in February of 2009.
No writeups or analysis indexed.
http://osvdb.org/51753http://secunia.com/advisories/33718http://security.bkis.vn/?p=329http://www.securityfocus.com/archive/1/500686/100/0/threadedhttp://www.securityfocus.com/bid/33630https://www.exploit-db.com/exploits/7995https://www.exploit-db.com/exploits/8010http://osvdb.org/51753http://secunia.com/advisories/33718http://security.bkis.vn/?p=329http://www.securityfocus.com/archive/1/500686/100/0/threadedhttp://www.securityfocus.com/bid/33630https://www.exploit-db.com/exploits/7995https://www.exploit-db.com/exploits/8010
2009-02-12
Published