cbcvebase.
CVE-2009-1569
published 2009-12-08

CVE-2009-1569: Multiple stack-based buffer overflows in Novell iPrint Client 4.38, 5.30, and possibly other versions before 5.32 allow remote attackers to execute arbitrary…

PriorityP266critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.52%
98.3th percentile
Multiple stack-based buffer overflows in Novell iPrint Client 4.38, 5.30, and possibly other versions before 5.32 allow remote attackers to execute arbitrary code via vectors related to (1) Date and (2) Time.

Affected

2 ranges
VendorProductVersion rangeFixed in
novelliprint
novelliprint

Detection & IOCsextracted from sources · hover to see the quote

filenameienipp.ocx
other0x1005ad5b
othervolatile-date-time
bytes
\x81\xc4\xf0\xef\xff\xff
  • The vulnerable ActiveX control is ienipp.ocx (Novell iPrint Client). Monitor for browser processes loading this OCX, especially when invoked with crafted Date/Time parameters.
  • The exploit payload bad characters include null bytes and common delimiters used in strtok parsing (=, :, ;, ,). Shellcode delivered via this vector will avoid these bytes.
  • The Metasploit module uses a stack-pivot prepend encoder (ADD ESP, -0x1010) before shellcode. Look for this byte sequence (\x81\xc4\xf0\xef\xff\xff) in memory or network payloads targeting this CVE.
  • The known JMP ESP ROP gadget used in exploitation is at offset 0x1005ad5b within ienipp.ocx v5.30. Detection of this return address in heap spray or stack content is a strong indicator of exploitation.
  • The exploit requires the 'operation' parameter to be set to a valid command to reach the vulnerable Date/Time code path. Monitor ActiveX invocations of ienipp.ocx where 'operation' is set alongside Date/Time parameters.
  • The exploit is delivered via a browser-based HTML page (drive-by). The EXITFUNC is set to 'process', meaning the spawned process will terminate after payload execution — useful for post-exploitation forensics.
  • ·The Metasploit module's payload space is limited to 512 bytes. Only small/staged shellcode will fit; larger payloads require a stager.
  • ·The JMP ESP gadget address (0x1005ad5b) and the PrependEncoder offset are specific to ienipp.ocx version 5.30. Exploitation against other versions (e.g., 4.38) would require different offsets.
  • ·NVD notes the vulnerability may affect versions before 5.32 beyond those explicitly listed (4.38, 5.30). Detection and patching scope should cover all sub-5.32 deployments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.