cbcvebase.
CVE-2009-0920
published 2009-03-25

CVE-2009-0920: Stack-based buffer overflow in OvCgi/Toolbar.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.94%
99.4th percentile
Stack-based buffer overflow in OvCgi/Toolbar.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long OvOSLocale cookie, a variant of CVE-2008-0067.

Affected

3 ranges
VendorProductVersion rangeFixed in
hpnetwork_node_manager
hpnetwork_node_manager
hpnetwork_node_manager

Detection & IOCsextracted from sources · hover to see the quote

path/OvCgi/Toolbar.exe
cookieOvOSLocale=<overflow_payload>; OvAcceptLang=en-usa
  • Alert on HTTP GET requests to /OvCgi/Toolbar.exe containing an oversized OvOSLocale cookie value (stack buffer overflow trigger).
  • Detect HTTP requests to /OvCgi/Toolbar.exe where the Cookie header contains both OvOSLocale= and OvAcceptLang= fields, which is the exact cookie pattern used by the exploit.
  • Look for alphanumeric-encoded shellcode (EncoderType AlphanumMixed with BufferRegister EDX) delivered in the OvOSLocale cookie value, preceded by the xchg edi,edx stub (bytes 0x87 0xFA).
  • For NNM 7.53 target, the exploit uses a return address of 0x5A23377C (CALL EDI in a specific DLL build); presence of this address in network traffic targeting Toolbar.exe is a strong exploit indicator.
  • For NNM 7.00 target, the exploit uses return address 0x5A212147 (call esp in ovsnmp.dll); monitor for this value in cookie-based overflow payloads.
  • ·The Metasploit module explicitly targets only a specific build of NNM 7.53; the exploit may not work against other patch levels of the same version.
  • ·The NNM B.07.00 target has a different, smaller bad-character set (00 0D 0A 20 3B 3D 2C 2B) compared to the 7.53_01195 target, meaning payload encoding requirements differ between versions.
  • ·The EIP overwrite offset differs between targets: 0xFC (252 bytes) for NNM 7.00 and 251 bytes for NNM 7.53_01195, so signature-based detection must account for both offset sizes.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.