CVE-2009-0920
published 2009-03-25CVE-2009-0920: Stack-based buffer overflow in OvCgi/Toolbar.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.94%
99.4th percentile
Stack-based buffer overflow in OvCgi/Toolbar.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long OvOSLocale cookie, a variant of CVE-2008-0067.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | network_node_manager | — | — |
| hp | network_node_manager | — | — |
| hp | network_node_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on HTTP GET requests to /OvCgi/Toolbar.exe containing an oversized OvOSLocale cookie value (stack buffer overflow trigger). ↗
- →Detect HTTP requests to /OvCgi/Toolbar.exe where the Cookie header contains both OvOSLocale= and OvAcceptLang= fields, which is the exact cookie pattern used by the exploit. ↗
- →Look for alphanumeric-encoded shellcode (EncoderType AlphanumMixed with BufferRegister EDX) delivered in the OvOSLocale cookie value, preceded by the xchg edi,edx stub (bytes 0x87 0xFA). ↗
- →For NNM 7.53 target, the exploit uses a return address of 0x5A23377C (CALL EDI in a specific DLL build); presence of this address in network traffic targeting Toolbar.exe is a strong exploit indicator. ↗
- →For NNM 7.00 target, the exploit uses return address 0x5A212147 (call esp in ovsnmp.dll); monitor for this value in cookie-based overflow payloads. ↗
- ·The Metasploit module explicitly targets only a specific build of NNM 7.53; the exploit may not work against other patch levels of the same version. ↗
- ·The NNM B.07.00 target has a different, smaller bad-character set (00 0D 0A 20 3B 3D 2C 2B) compared to the 7.53_01195 target, meaning payload encoding requirements differ between versions. ↗
- ·The EIP overwrite offset differs between targets: 0xFC (252 bytes) for NNM 7.00 and 251 bytes for NNM 7.53_01195, so signature-based detection must account for both offset sizes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Cookie Handling Buffer Overflow (Metasploit)
exploitdb·2011-07-16
CVE-2009-0920 HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Cookie Handling Buffer Overflow (Metasploit)
HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Cookie Handling Buffer Overflow (Metasploit)
---
##
# $Id: hp_nnm_toolbar_02.rb 13194 2011-07-16 05:21:20Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0
and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an
attacker may be able to execute arbitrary
Metasploit
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
metasploit
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
HP OpenView Network Node Manager Toolbar.exe CGI Cookie Handling Buffer Overflow
This module exploits a stack buffer overflow in HP OpenView Network Node Manager 7.0 and 7.53. By sending a CGI request with a specially OvOSLocale cookie to Toolbar.exe, an attacker may be able to execute arbitrary code. Please note that this module only works against a specific build (i.e. NNM 7.53_01195)
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=123791084113871&w=2http://secunia.com/advisories/34444http://securityreason.com/securityalert/8308http://www.coresecurity.com/content/openview-buffer-overflowshttp://www.securityfocus.com/archive/1/502054/100/0/threadedhttp://www.securityfocus.com/bid/34294http://www.securitytracker.com/id?1021883http://www.vupen.com/english/advisories/2009/0819https://exchange.xforce.ibmcloud.com/vulnerabilities/49364http://marc.info/?l=bugtraq&m=123791084113871&w=2http://secunia.com/advisories/34444http://securityreason.com/securityalert/8308http://www.coresecurity.com/content/openview-buffer-overflowshttp://www.securityfocus.com/archive/1/502054/100/0/threadedhttp://www.securityfocus.com/bid/34294http://www.securitytracker.com/id?1021883http://www.vupen.com/english/advisories/2009/0819https://exchange.xforce.ibmcloud.com/vulnerabilities/49364
2009-03-25
Published