CVE-2009-0824
published 2009-03-14CVE-2009-0824: Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and…
PriorityP278medium4.9CVSS 2.0
AVLACLAuNCNINAC
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
0.73%
49.4th percentile
Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier, uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to cause a denial of service (system crash) via a crafted IOCTL call.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| slysoft | anydvd | <= 6.5.2.2 | — |
| slysoft | clonecd | <= 5.3.1.3 | — |
| slysoft | clonedvd | <= 2.9.2.0 | — |
| slysoft | virtualclonedrive | <= 5.4.2.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect the vulnerable ElbyCDIO.sys driver by its MD5 hash (978CD6D9666627842340EF774FD9E2AC) on disk or loaded in memory; presence indicates a system exploitable for local privilege escalation via CVE-2009-0824. ↗
- →Alert on the presence of ipv4.dll being loaded from or downloaded via MikroTik Winbox; this DLL is placed on the router by attackers and pulled down to victim workstations. ↗
- →Use Tenable Plugin 108411 (Malicious Process Detection: Authenticode Microsoft Manufacturer) to identify processes claiming Microsoft authorship without a valid Authenticode signature, indicative of Slingshot DLL hijacking. ↗
- →The vulnerability is triggered via a crafted IOCTL call using METHOD_NEITHER communication; monitor for anomalous IOCTL requests targeting ElbyCDIO.sys from unprivileged local processes. ↗
- ·CVE-2009-0824 affects ElbyCDIO.sys version 6.0.2.0 and earlier; versions distributed with SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier are all vulnerable. ↗
- ·The exploit was observed in the wild as part of the Slingshot APT campaign (active since at least 2012) specifically to bypass x64 Driver Signing Protection for privilege escalation, not merely as a standalone DoS. ↗
CVSS provenance
nvdv2.04.9MEDIUMAV:L/AC:L/Au:N/C:N/I:N/A:C
vulncheck4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-526v-hfw3-w58p: Elaborate Bytes ElbyCDIO
ghsa_unreviewed·2022-05-02
CVE-2009-0824 [MEDIUM] CWE-119 GHSA-526v-hfw3-w58p: Elaborate Bytes ElbyCDIO
Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier, uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to cause a denial of service (system crash) via a crafted IOCTL call.
VulnCheck
slysoft anydvd Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2009·CVSS 4.9
CVE-2009-0824 [MEDIUM] slysoft anydvd Improper Restriction of Operations within the Bounds of a Memory Buffer
slysoft anydvd Improper Restriction of Operations within the Bounds of a Memory Buffer
Elaborate Bytes ElbyCDIO.sys 6.0.2.0 and earlier, as distributed in SlySoft AnyDVD before 6.5.2.6, Virtual CloneDrive 5.4.2.3 and earlier, CloneDVD 2.9.2.0 and earlier, and CloneCD 5.3.1.3 and earlier, uses the METHOD_NEITHER communication method for IOCTLs and does not properly validate a buffer associated with the Irp object, which allows local users to cause a denial of service (system crash) via a crafted IOCTL call.
Affected: slysoft anydvd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://media.kasperskycontenthub.com/wp
No detection rules found.
Tenable
Slingshot Malware Uses IoT Device in Targeted Attacks
blogs_tenable·2018-03-19·CVSS 6.4
[MEDIUM] Slingshot Malware Uses IoT Device in Targeted Attacks
Blog / Cyber Exposure Alerts
Subscribe
# Slingshot Malware Uses IoT Device in Targeted Attacks
Tony Huffman
March 19, 2018
4 Min Read
A new APT malware attack has been discovered by Kaspersky Lab. The malware named Slingshot, due to a string in one of the hijacked system DLLs, is a sophisticated attack that leads to a nasty rootkit. The final rootkit named Cahnadr takes control of system processes, allowing for monitoring of keystrokes, clipboard, network traffic and more.
### Background
Kaspersky Lab recently analyzed a sophisticated malware they named Slingshot. The paper published by Kaspersky Lab outlines details on how Slingshot operates and suggests the malware has been active since 2012. What makes Slingshot especially interesting is it used a compromised IoT device to infect
Tenable
Slingshot Malware Uses IoT Device in Targeted Attacks
blogs_tenable·2018-03-19
Slingshot Malware Uses IoT Device in Targeted Attacks
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://en.securitylab.ru/lab/PT-2009-11http://osvdb.org/52679http://secunia.com/advisories/34269http://secunia.com/advisories/34287http://secunia.com/advisories/34288http://secunia.com/advisories/34289http://www.securityfocus.com/archive/1/501713/100/0/threadedhttp://www.securityfocus.com/bid/34103http://www.slysoft.com/download/changes_anydvd.txthttp://www.slysoft.com/download/changes_clonedvd.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/49232http://en.securitylab.ru/lab/PT-2009-11http://osvdb.org/52679http://secunia.com/advisories/34269http://secunia.com/advisories/34287http://secunia.com/advisories/34288http://secunia.com/advisories/34289http://www.securityfocus.com/archive/1/501713/100/0/threadedhttp://www.securityfocus.com/bid/34103http://www.slysoft.com/download/changes_anydvd.txthttp://www.slysoft.com/download/changes_clonedvd.txthttps://exchange.xforce.ibmcloud.com/vulnerabilities/49232
2009-03-14
Published
Exploited in the wild