CVE-2009-0695
published 2012-06-19CVE-2009-0695: hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.89%
99.3th percentile
hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a crafted query, as demonstrated by a V52 query that triggers a power-off action.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | wyse_device_manager | — | — |
| dell | wyse_device_manager | — | — |
| dell | wyse_device_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated V52 query packets to hagent.exe on TCP/80 — a V52 query with RB=0 and MT=3 fields triggers a remote power-off action with no authentication required. ↗
- →Alert on raw TCP connections to port 80 of Wyse thin-client hosts containing the string '&V52&' or '&V54&' in the request body, which are exploit-specific Hagent protocol command markers. ↗
- →Monitor for the Hagent protocol response '&00' from a Wyse device, which indicates successful command execution (e.g., power-off) by an attacker. ↗
- →Detect outbound FTP connections (TCP/21) from Wyse thin-client hosts to unexpected external IPs following an inbound V54 Hagent command — this indicates the fake-server exploit stage where the target downloads a malicious executable. ↗
- →Alert on Wyse Linux thin-clients executing binaries from /tmp/ (e.g., random-named .bin files) — the exploit drops and executes a payload at //tmp/<random>.bin. ↗
- →Alert on Wyse Windows XPe thin-clients executing random-named .exe files from C:\ root — the exploit drops and executes a payload at C:\<random>.exe. ↗
- →Detect Hagent protocol HTTP requests containing V01, V55, or POST verbs with '&UP0|&SI=1|UR=9' in the body — these are the fake-server update command sequences used to push malicious payloads. ↗
- ·The exploit targets Wyse Device Manager (WDM) 4.7.x specifically; the Hagent service listens on TCP/80 by default but the HTTP server port used in the fake-server variant is dynamically assigned and may vary. ↗
- ·The FTP server used to deliver the payload MUST run on port 21; the exploit explicitly checks and aborts if SRVPORT is not 21. ↗
- ·The MAC address field in the crafted Hagent query is randomly generated per session, so MAC-based IOCs are not reliable for detection. ↗
- ·The dropped payload filename is randomized (4–11 alphanumeric characters) on each exploit run; static filename-based detection will not be effective. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Wyse - Machine Remote Power Off (Denial of Service) (Metasploit)
exploitdb·2012-06-14
CVE-2009-0695 Wyse - Machine Remote Power Off (Denial of Service) (Metasploit)
Wyse - Machine Remote Power Off (Denial of Service) (Metasploit)
---
require 'msf/core'
class Metasploit3 'Wyse Machine Remote Power off (DOS)',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service and cause
remote power cycle (Power off the wyse machine remotely).
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'Author' => '[email protected]',
'Version' => '$Revision: 14976 $',
'References' =>
[
['CVE', '2009-0695'],
['OSVDB', '55839'],
['US-CERT-VU', '654545'],
['URL', 'http://snosoft.blogspot.com/'],
['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
],
'Privileged' => tr
Exploit-DB
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)
exploitdb·2009-07-10
CVE-2009-0695 Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)
Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)
---
##
# $Id: hagent_untrusted_hsdata.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'timeout'
require 'msf/core'
class Metasploit3 'Wyse Rapport Hagent Fake Hserver Command Execution',
'Description' => %q{
This module exploits the Wyse Rapport Hagent service by pretending to
be a legitimate server. This process involves starting both HTTP and
FTP services on the attacker side, then contacting the Hagent service of
the target and indicating that an update is availabl
Metasploit
Wyse Rapport Hagent Fake Hserver Command Execution
metasploit
Wyse Rapport Hagent Fake Hserver Command Execution
Wyse Rapport Hagent Fake Hserver Command Execution
This module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.htmlhttp://www.exploit-db.com/exploits/19137/http://www.kb.cert.org/vuls/id/654545http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdfhttp://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.htmlhttp://www.exploit-db.com/exploits/19137/http://www.kb.cert.org/vuls/id/654545http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
2012-06-19
Published