cbcvebase.
CVE-2009-1394
published 2009-06-26

CVE-2009-1394: Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows allows remote attackers to execute arbitrary code by sending a long malformed string over…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
33.28%
98.2th percentile
Stack-based buffer overflow in Motorola Timbuktu Pro 8.6.5 on Windows allows remote attackers to execute arbitrary code by sending a long malformed string over the PlughNTCommand named pipe.

Affected

1 ranges
VendorProductVersion rangeFixed in
motorolatimbuktu_pro

Detection & IOCsextracted from sources · hover to see the quote

other0x7C97B0B0
  • Monitor for SMB named pipe connections to \PlughNTCommand; any connection to this pipe from an external/untrusted host is highly suspicious and indicative of CVE-2009-1394 exploitation.
  • The exploit requires TWO sequential SMB connections to the PlughNTCommand pipe: the first leaks stack data by overwriting nNumberOfBytesToWrite with a large value (0x1ff8), and the second delivers the payload. Detecting two rapid successive pipe connections from the same source is a strong indicator.
  • The exploit targets the ntdll .data writable address 0x7C97B0B0 as a stable pivot point across Windows XP SP2/SP3. Presence of this address in SMB pipe write data is a strong exploit indicator.
  • ·The exploit targets Timbuktu Pro versions <= 8.6.6 on Windows only; the named pipe attack surface is only exposed over SMB (TCP 445/139), so network-level blocking of SMB from untrusted hosts mitigates exposure.
  • ·The writable address pivot (0x7C97B0B0) is noted as stable across Windows XP SP2/SP3 but may require adjustment for other OS versions, meaning detection rules keying on this exact address may miss variants targeting other platforms.
  • ·The exploit runs with EXITFUNC set to 'process', meaning the Timbuktu process will terminate after payload execution; defenders should alert on unexpected Timbuktu process crashes following inbound SMB pipe activity.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.