cbcvebase.
CVE-2009-0824
published 2009-03-14

CVE-2009-0824: Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and…

PriorityP278medium4.9CVSS 2.0
AVLACLAuNCNINAC
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.73%
49.4th percentile
Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier, uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to cause a denial of service (system crash) via a crafted IOCTL call.

Affected

4 ranges
VendorProductVersion rangeFixed in
slysoftanydvd<= 6.5.2.2
slysoftclonecd<= 5.3.1.3
slysoftclonedvd<= 2.9.2.0
slysoftvirtualclonedrive<= 5.4.2.3

Detection & IOCsextracted from sources · hover to see the quote

hash978CD6D9666627842340EF774FD9E2AC
filenameElbyCDIO.sys
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32850.zip
  • Detect the vulnerable ElbyCDIO.sys driver by its MD5 hash (978CD6D9666627842340EF774FD9E2AC) on disk or loaded in memory; presence indicates a system exploitable for local privilege escalation via CVE-2009-0824.
  • Alert on the presence of ipv4.dll being loaded from or downloaded via MikroTik Winbox; this DLL is placed on the router by attackers and pulled down to victim workstations.
  • Use Tenable Plugin 108411 (Malicious Process Detection: Authenticode Microsoft Manufacturer) to identify processes claiming Microsoft authorship without a valid Authenticode signature, indicative of Slingshot DLL hijacking.
  • The vulnerability is triggered via a crafted IOCTL call using METHOD_NEITHER communication; monitor for anomalous IOCTL requests targeting ElbyCDIO.sys from unprivileged local processes.
  • ·CVE-2009-0824 affects ElbyCDIO.sys version 6.0.2.0 and earlier; versions distributed with SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier are all vulnerable.
  • ·The exploit was observed in the wild as part of the Slingshot APT campaign (active since at least 2012) specifically to bypass x64 Driver Signing Protection for privilege escalation, not merely as a standalone DoS.

CVSS provenance

nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
vulncheck4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.