cbcvebase.
CVE-2009-1350
published 2009-04-21

CVE-2009-1350: Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client before 1.2.4 allows remote attackers to execute arbitrary code by establishing an IPC$…

PriorityP271critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.93%
99.2th percentile
Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client before 1.2.4 allows remote attackers to execute arbitrary code by establishing an IPC$ connection to the XTIERRPCPIPE named pipe, and sending RPC messages that trigger a dereference of an arbitrary pointer.

Detection & IOCsextracted from sources · hover to see the quote

filenamextagent.exe
commandIPC$ connection to the XTIERRPCPIPE named pipe
  • Monitor for Trans2 requests (subcommand 0x0007) with QUERY_FILE_INFO (info level 1005) directed at the XTIERRPCPIPE file handle, which is the memory-leak step used before the overflow.
  • Look for the stack-alignment prepend encoder bytes (\x81\xe4\xf0\xff\xff\xff) in SMB write payloads to the XTIERRPCPIPE pipe as a shellcode delivery indicator.
  • Flag payload bad-character patterns: the exploit avoids bytes \x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40 — encoded shellcode written to the pipe will not contain these bytes, which can help distinguish exploit traffic from benign pipe writes.
  • Alert on xtagent.exe spawning unexpected child processes or network connections, as successful exploitation runs arbitrary code in the context of the NetIdentity Agent service (SYSTEM-level privilege).
  • ·The Metasploit module notes that exploitation reliability is significantly lower on a live service; a service restart is required for consistent success, so defenders should monitor for unexpected restarts of the NetIdentity Agent service as a post-exploitation indicator.
  • ·The exploit uses a two-stage approach: a memory-leak request first to obtain a pointer, then a second pipe connection to deliver the overflow. Detection logic should account for two sequential connections to \XTIERRPCPIPE from the same source.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.