cbcvebase.
CVE-2009-1730
published 2009-05-20

CVE-2009-1730: Multiple directory traversal vulnerabilities in NetMechanica NetDecision TFTP Server 4.2 allow remote attackers to read or modify arbitrary files via directory…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
54.51%
98.9th percentile
Multiple directory traversal vulnerabilities in NetMechanica NetDecision TFTP Server 4.2 allow remote attackers to read or modify arbitrary files via directory traversal sequences in the (1) GET or (2) PUT command.

Affected

1 ranges
VendorProductVersion rangeFixed in
netmechanicanetdecision_tftp_server

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP (TFTP)
path..\..\..\WINDOWS\system32\<random>.exe
path..\..\..\WINDOWS\system32\wbem\mof\<random>.mof
commandTFTP PUT with directory traversal sequences (e.g., ../)
  • Monitor TFTP (UDP/69) traffic for directory traversal sequences (e.g., '../' or '..\') in GET or PUT request filenames targeting NetDecision 4.2 TFTP Server.
  • Alert on unexpected .mof files appearing in C:\Windows\System32\wbem\mof\ that were not deployed by a known management process, especially when preceded by an unknown .exe dropped in System32.
  • The exploit source port for TFTP client connections is randomized between 1025 and 65535; however, the destination is always UDP/69 on the target NetDecision TFTP server.
  • ·The traversal depth is configurable by the attacker (default 1, but effectively falls back to 10 if unset or zero), meaning the number of '../' sequences in the malicious filename will vary per attack attempt.
  • ·The exploit targets Windows XP SP3 and Windows 2003 SP2 specifically; the WbemExec MOF-drop technique is OS-version dependent and may not apply to other platforms.
  • ·Null bytes are the only bad characters for the payload, meaning most shellcode encodings are viable and payload detection cannot rely on null-byte filtering.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.