CVE-2009-1569
published 2009-12-08CVE-2009-1569: Multiple stack-based buffer overflows in Novell iPrint Client 4.38, 5.30, and possibly other versions before 5.32 allow remote attackers to execute arbitrary…
PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.52%
98.3th percentile
Multiple stack-based buffer overflows in Novell iPrint Client 4.38, 5.30, and possibly other versions before 5.32 allow remote attackers to execute arbitrary code via vectors related to (1) Date and (2) Time.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | iprint | — | — |
| novell | iprint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xf0\xef\xff\xff
- →The vulnerable ActiveX control is ienipp.ocx (Novell iPrint Client). Monitor for browser processes loading this OCX, especially when invoked with crafted Date/Time parameters. ↗
- →The exploit payload bad characters include null bytes and common delimiters used in strtok parsing (=, :, ;, ,). Shellcode delivered via this vector will avoid these bytes. ↗
- →The Metasploit module uses a stack-pivot prepend encoder (ADD ESP, -0x1010) before shellcode. Look for this byte sequence (\x81\xc4\xf0\xef\xff\xff) in memory or network payloads targeting this CVE. ↗
- →The known JMP ESP ROP gadget used in exploitation is at offset 0x1005ad5b within ienipp.ocx v5.30. Detection of this return address in heap spray or stack content is a strong indicator of exploitation. ↗
- →The exploit requires the 'operation' parameter to be set to a valid command to reach the vulnerable Date/Time code path. Monitor ActiveX invocations of ienipp.ocx where 'operation' is set alongside Date/Time parameters. ↗
- →The exploit is delivered via a browser-based HTML page (drive-by). The EXITFUNC is set to 'process', meaning the spawned process will terminate after payload execution — useful for post-exploitation forensics. ↗
- ·The Metasploit module's payload space is limited to 512 bytes. Only small/staged shellcode will fit; larger payloads require a stager. ↗
- ·The JMP ESP gadget address (0x1005ad5b) and the PrependEncoder offset are specific to ienipp.ocx version 5.30. Exploitation against other versions (e.g., 4.38) would require different offsets. ↗
- ·NVD notes the vulnerability may affect versions before 5.32 beyond those explicitly listed (4.38, 5.30). Detection and patching scope should cover all sub-5.32 deployments. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell iPrint Client - ActiveX Control Date/Time Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2009-1569 Novell iPrint Client - ActiveX Control Date/Time Buffer Overflow (Metasploit)
Novell iPrint Client - ActiveX Control Date/Time Buffer Overflow (Metasploit)
---
##
# $Id: novelliprint_datetime.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Novell iPrint Client ActiveX Control Date/Time Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When
passing a specially crafted date/time string via certain parameters to ienipp.ocx
an attacker can execute arbitrary code.
NOTE: The "operation" variable must be set to a valid com
Metasploit
Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
metasploit
Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
Novell iPrint Client ActiveX Control Date/Time Buffer Overflow
This module exploits a stack buffer overflow in Novell iPrint Client 5.30. When passing a specially crafted date/time string via certain parameters to ienipp.ocx an attacker can execute arbitrary code. NOTE: The "operation" variable must be set to a valid command in order to reach this vulnerability.
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=29T3EFRky18~http://secunia.com/advisories/35004http://secunia.com/advisories/37169http://secunia.com/secunia_research/2009-44/http://www.securityfocus.com/archive/1/508288/100/0/threadedhttp://www.securityfocus.com/bid/37242http://www.vupen.com/english/advisories/2009/3429http://download.novell.com/Download?buildid=29T3EFRky18~http://secunia.com/advisories/35004http://secunia.com/advisories/37169http://secunia.com/secunia_research/2009-44/http://www.securityfocus.com/archive/1/508288/100/0/threadedhttp://www.securityfocus.com/bid/37242http://www.vupen.com/english/advisories/2009/3429
2009-12-08
Published