CVE-2009-1943
published 2009-06-05CVE-2009-1943: Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.21%
99.4th percentile
Stack-based buffer overflow in the IKE service (ireIke.exe) in SafeNet SoftRemote before 10.8.6 allows remote attackers to execute arbitrary code via a long request to UDP port 62514.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| safenet-inc | softremote | <= 10.8.5 | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
| safenet-inc | softremote | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x01\x00\x00\x00 (IPC packet header prefix)
bytes↗
\x81\xc4\x54\xf2\xff\xff (PrependEncoder stack adjustment stub)
- →Alert on any UDP traffic to port 62514 originating from external/untrusted hosts targeting the IKE service; oversized packets (beyond normal IKE framing) are indicative of exploitation. ↗
- →EIP control occurs at offset 213 bytes into the payload; a UDP payload to port 62514 with length ≥213 bytes starting with the 4-byte IPC magic \x01\x00\x00\x00 is a strong exploit indicator. ↗
- →Bad characters in exploit payload are \x00\x0a\x20\x0d; any IDS/IPS signature for this CVE should flag UDP/62514 payloads that do NOT contain these bytes but are abnormally long. ↗
- →Monitor for ireIke.exe spawning unexpected child processes or making outbound TCP connections, which would indicate successful shellcode execution (e.g., reverse_ord_tcp payload). ↗
- ·Exploit payload space is only 213 bytes; staged/encoded payloads (e.g., reverse_ord_tcp) are required. Detection signatures must account for encoded shellcode rather than raw shellcode patterns. ↗
- ·The return address (call esi gadget) differs across three known build versions of IreIKE.exe (10.8.0.20, 10.8.0.10, 10.8.3.6); version-specific RET values must be used for reliable exploitation, meaning detection should not rely solely on a fixed byte pattern at the RET offset. ↗
- ·EXITFUNC is set to 'process', meaning successful exploitation terminates the IreIKE.exe process; a sudden crash/restart of ireIke.exe after inbound UDP/62514 traffic should be treated as a post-exploitation indicator. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SafeNet SoftRemote - IKE Service Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2009-1943 SafeNet SoftRemote - IKE Service Buffer Overflow (Metasploit)
SafeNet SoftRemote - IKE Service Buffer Overflow (Metasploit)
---
##
# $Id: safenet_ike_11.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SafeNet SoftRemote IKE Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe
service. When sending a specially crafted udp packet to port 62514 an
attacker may be able to execute arbitrary code. This module has
been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using
windows/meterpreter
Metasploit
SafeNet SoftRemote IKE Service Buffer Overflow
metasploit
SafeNet SoftRemote IKE Service Buffer Overflow
SafeNet SoftRemote IKE Service Buffer Overflow
This module exploits a stack buffer overflow in Safenet SoftRemote IKE IreIKE.exe service. When sending a specially crafted udp packet to port 62514 an attacker may be able to execute arbitrary code. This module has been tested with Juniper NetScreen-Remote 10.8.0 (Build 20) using windows/meterpreter/reverse_ord_tcp payloads.
No writeups or analysis indexed.
http://osvdb.org/54831http://secunia.com/advisories/35280http://www.securityfocus.com/archive/1/503981/100/0/threadedhttp://www.securityfocus.com/bid/35154http://www.securitytracker.com/id?1022316http://www.vupen.com/english/advisories/2009/1472http://www.zerodayinitiative.com/advisories/ZDI-09-024/https://exchange.xforce.ibmcloud.com/vulnerabilities/50880http://osvdb.org/54831http://secunia.com/advisories/35280http://www.securityfocus.com/archive/1/503981/100/0/threadedhttp://www.securityfocus.com/bid/35154http://www.securitytracker.com/id?1022316http://www.vupen.com/english/advisories/2009/1472http://www.zerodayinitiative.com/advisories/ZDI-09-024/https://exchange.xforce.ibmcloud.com/vulnerabilities/50880
2009-06-05
Published