cbcvebase.
CVE-2009-0880
published 2009-03-12

CVE-2009-0880: Directory traversal vulnerability in the CIM server in IBM Director before 5.20.3 Service Update 2 on Windows allows remote attackers to load and execute…

PriorityP350medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
31.60%
98.1th percentile
Directory traversal vulnerability in the CIM server in IBM Director before 5.20.3 Service Update 2 on Windows allows remote attackers to load and execute arbitrary local DLL code via a .. (dot dot) in a /CIMListener/ URI in an M-POST request.

Affected

15 ranges
VendorProductVersion rangeFixed in
ibmdirector<= 5.20.3
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector
ibmdirector

Detection & IOCsextracted from sources · hover to see the quote

url/CIMListener/
processwmicimsv
  • Detect M-POST requests to /CIMListener/ on TCP port 6988 with directory traversal (dot dot) sequences in the URI path, indicating exploitation of CVE-2009-0880.
  • Scan for vulnerable IBM Director CIM servers by probing TCP/6988 with: M-POST /CIMListener/ HTTP/1.1 and checking for an HTTP 200 response containing 'CIMVERSION'.
  • Check for the presence of the WebClient (WebDAV Mini-Redirector) service being enabled on target Windows hosts, as it is a prerequisite for remote DLL injection exploitation.
  • Inspect HTTP headers on port 6988 for the combination of Man, CIMOperation, CIMExport, and CIMExportMethod headers, which are characteristic of exploit traffic against this vulnerability.
  • Monitor for User-Agent strings matching Windows NT 5.1/5.2 or MiniRedir/5.1/5.2 patterns on the attacker-controlled WebDAV server, used by the exploit to fingerprint the target for payload delivery.
  • ·The WebDAV-based remote DLL injection vector requires the WebClient service to be running on the target; exploitation is not possible if it is disabled (default on Windows 2003 SP2).
  • ·The Metasploit module requires SRVPORT=80 and URIPATH=/ for the WebDAV delivery component to function; non-standard configurations will cause the exploit to fail.
  • ·The exploit affects IBM Director versions 5.20.3 and before, but not 5.2.30 SP2 and above; patched systems are not vulnerable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.