CVE-2009-1350
published 2009-04-21CVE-2009-1350: Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client before 1.2.4 allows remote attackers to execute arbitrary code by establishing an IPC$…
PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.93%
99.2th percentile
Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client before 1.2.4 allows remote attackers to execute arbitrary code by establishing an IPC$ connection to the XTIERRPCPIPE named pipe, and sending RPC messages that trigger a dereference of an arbitrary pointer.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Trans2 requests (subcommand 0x0007) with QUERY_FILE_INFO (info level 1005) directed at the XTIERRPCPIPE file handle, which is the memory-leak step used before the overflow. ↗
- →Look for the stack-alignment prepend encoder bytes (\x81\xe4\xf0\xff\xff\xff) in SMB write payloads to the XTIERRPCPIPE pipe as a shellcode delivery indicator. ↗
- →Flag payload bad-character patterns: the exploit avoids bytes \x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40 — encoded shellcode written to the pipe will not contain these bytes, which can help distinguish exploit traffic from benign pipe writes. ↗
- →Alert on xtagent.exe spawning unexpected child processes or network connections, as successful exploitation runs arbitrary code in the context of the NetIdentity Agent service (SYSTEM-level privilege). ↗
- ·The Metasploit module notes that exploitation reliability is significantly lower on a live service; a service restart is required for consistent success, so defenders should monitor for unexpected restarts of the NetIdentity Agent service as a post-exploitation indicator. ↗
- ·The exploit uses a two-stage approach: a memory-leak request first to obtain a pointer, then a second pipe connection to deliver the overflow. Detection logic should account for two sequential connections to \XTIERRPCPIPE from the same source. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt
suricata·2010-07-30
CVE-2009-0921 ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt
ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt
Rule: alert http1 $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OvCgi/Toolbar.exe"; nocase; fast_pattern; http.header; content:"Accept-Language|3a 20|"; nocase; isdataat:1350,relative; content:!"|0A|"; within:1350; content:"Content-Length|3a|"; distance:0; reference:cve,2009-0921; classtype:web-application-attack; sid:2010864; rev:11; metadata:created_at 2010_07_30, cve CVE_2009_0921, confidence High, signature_severity Major, updated_at 2024_04_10;)
Exploit-DB
Novell NetIdentity Agent - XTIERRPCPIPE Named Pipe Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2009-1350 Novell NetIdentity Agent - XTIERRPCPIPE Named Pipe Buffer Overflow (Metasploit)
Novell NetIdentity Agent - XTIERRPCPIPE Named Pipe Buffer Overflow (Metasploit)
---
##
# $Id: netidentity_xtierrpcpipe.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending
a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be
able to execute arbitrary code. The success of this module is much greater once the
Metasploit
Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
metasploit
Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow
This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted.
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=6ERQGPjRZ8o~http://www.securityfocus.com/archive/1/502514/100/0/threadedhttp://www.securityfocus.com/bid/34400http://www.securitytracker.com/id?1021990http://www.vupen.com/english/advisories/2009/0954http://www.zerodayinitiative.com/advisories/ZDI-09-016/https://bugzilla.novell.com/show_bug.cgi?id=437511http://download.novell.com/Download?buildid=6ERQGPjRZ8o~http://www.securityfocus.com/archive/1/502514/100/0/threadedhttp://www.securityfocus.com/bid/34400http://www.securitytracker.com/id?1021990http://www.vupen.com/english/advisories/2009/0954http://www.zerodayinitiative.com/advisories/ZDI-09-016/https://bugzilla.novell.com/show_bug.cgi?id=437511
2009-04-21
Published