CVE-2009-1394
published 2009-06-26CVE-2009-1394: Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows allows remote attackers to execute arbitrary code by sending a long malformed string over…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.28%
98.2th percentile
Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows allows remote attackers to execute arbitrary code by sending a long malformed string over the PlughNTCommand named pipe.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| motorola | timbuktu_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SMB named pipe connections to \PlughNTCommand; any connection to this pipe from an external/untrusted host is highly suspicious and indicative of CVE-2009-1394 exploitation. ↗
- →The exploit requires TWO sequential SMB connections to the PlughNTCommand pipe: the first leaks stack data by overwriting nNumberOfBytesToWrite with a large value (0x1ff8), and the second delivers the payload. Detecting two rapid successive pipe connections from the same source is a strong indicator. ↗
- →The exploit targets the ntdll .data writable address 0x7C97B0B0 as a stable pivot point across Windows XP SP2/SP3. Presence of this address in SMB pipe write data is a strong exploit indicator. ↗
- ·The exploit targets Timbuktu Pro versions <= 8.6.6 on Windows only; the named pipe attack surface is only exposed over SMB (TCP 445/139), so network-level blocking of SMB from untrusted hosts mitigates exposure. ↗
- ·The writable address pivot (0x7C97B0B0) is noted as stable across Windows XP SP2/SP3 but may require adjustment for other OS versions, meaning detection rules keying on this exact address may miss variants targeting other platforms. ↗
- ·The exploit runs with EXITFUNC set to 'process', meaning the Timbuktu process will terminate after payload execution; defenders should alert on unexpected Timbuktu process crashes following inbound SMB pipe activity. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m558-2r8x-cc8v: Stack-based buffer overflow in Motorola Timbuktu Pro 8
ghsa_unreviewed·2022-05-02
CVE-2009-1394 [HIGH] CWE-119 GHSA-m558-2r8x-cc8v: Stack-based buffer overflow in Motorola Timbuktu Pro 8
Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows allows remote attackers to execute arbitrary code by sending a long malformed string over the PlughNTCommand named pipe.
Red Hat
kernel: Buffer overflow in firewire driver via crafted incoming packets
vendor_redhat·2016-11-06·CVSS 6.8
CVE-2016-8633 [MEDIUM] CWE-787 kernel: Buffer overflow in firewire driver via crafted incoming packets
kernel: Buffer overflow in firewire driver via crafted incoming packets
drivers/firewire/net.c in the Linux kernel before 4.8.7, in certain unusual hardware configurations, allows remote attackers to execute arbitrary code via crafted fragmented packets.
A buffer overflow vulnerability due to a lack of input filtering of incoming fragmented datagrams was found in the IP-over-1394 driver [firewire-net] in a fragment handling code in the Linux kernel. The vulnerability exists since firewire supported IPv4, i.e. since version 2.6.31 (year 2009) till version v4.9-rc4. A maliciously formed fragment with a respectively large datagram offset would cause a memcpy() past the datagram buffer, which would cause a system panic or possible arbitrary code execution.
The flaw requires [firewire-net] mo
Red Hat
kernel: firewire: ohci: handle receive packets with a data length of zero
vendor_redhat·2009-12-11·CVSS 4.7
CVE-2009-4138 [MEDIUM] kernel: firewire: ohci: handle receive packets with a data length of zero
kernel: firewire: ohci: handle receive packets with a data length of zero
drivers/firewire/ohci.c in the Linux kernel before 2.6.32-git9, when packet-per-buffer mode is used, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unknown other impact via an unspecified ioctl associated with receiving an ISO packet that contains zero in the payload-length field.
Statement: Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-4138
The Linux kernel packages as shipped with Red Hat Enterprise Linux 3 and 4 have a different (and older) implementation of the driver for OHCI 1394 controllers, which is not affected by this issue.
A future kernel update for Red Hat Enterprise MRG will ad
No detection rules found.
Exploit-DB
Timbuktu 8.6.6 - PlughNTCommand Named Pipe Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-1394 Timbuktu 8.6.6 - PlughNTCommand Named Pipe Buffer Overflow (Metasploit)
Timbuktu 8.6.6 - PlughNTCommand Named Pipe Buffer Overflow (Metasploit)
---
##
# $Id: timbuktu_plughntcommand_bof.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Timbuktu %q{
This module exploits a stack based buffer overflow in Timbuktu Pro version [ 'bannedit' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2009-1394' ],
[ 'OSVDB', '55436' ],
[ 'BID', '35496' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809' ],
],
'DefaultO
Metasploit
Timbuktu PlughNTCommand Named Pipe Buffer Overflow
metasploit
Timbuktu PlughNTCommand Named Pipe Buffer Overflow
Timbuktu PlughNTCommand Named Pipe Buffer Overflow
This module exploits a stack based buffer overflow in Timbuktu Pro version <= 8.6.6 in a pretty novel way. This exploit requires two connections. The first connection is used to leak stack data using the buffer overflow to overwrite the nNumberOfBytesToWrite argument. By supplying a large value for this argument it is possible to cause Timbuktu to reply to the initial request with leaked stack data. Using this data allows for reliable exploitation of the buffer overflow vulnerability. Props to Infamous41d for helping in finding this exploitation path. The second connection utilizes the data from the data leak to accurately exploit the stack based buffer overflow vulnerability. TODO: hdm suggested using meterpreter's migration capability a
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809http://secunia.com/advisories/35533http://www.netopia.com/software/products/tb2/http://www.securityfocus.com/archive/1/504554/100/0/threadedhttp://www.securityfocus.com/bid/35496http://www.securitytracker.com/id?1022455http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=809http://secunia.com/advisories/35533http://www.netopia.com/software/products/tb2/http://www.securityfocus.com/archive/1/504554/100/0/threadedhttp://www.securityfocus.com/bid/35496http://www.securitytracker.com/id?1022455
2009-06-26
Published