CVE-2009-3844
published 2009-12-08CVE-2009-3844: Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5.50 and 6.0 allows remote attackers to execute…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.06%
99.4th percentile
Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5.50 and 6.0 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted MSG_PROTOCOL packet.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | openview_data_protector_application_recovery_manager | — | — |
| hp | openview_data_protector_application_recovery_manager | — | — |
| hp | openview_storage_data_protector | — | — |
| hp | openview_storage_data_protector | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xfe\x32\x00\x36\x00\x37\x00
bytes↗
\x00\x00\x12\x67
bytes↗
\x00\x00\x20\x00
- →Detect exploit attempts by monitoring TCP port 5555 for MSG_PROTOCOL packets beginning with the Unicode BOM (0xFF 0xFE) followed by the Unicode-encoded string '267', with multiple 0x00002000 separators — this is the crafted packet structure used to trigger the wcscpy() overflow in OmniInet.exe. ↗
- →Alert on oversized packets to TCP/5555 targeting OmniInet.exe that contain SEH chain overwrites (structured exception handler records appended after payload), followed by a backward JMP shellcode stub — characteristic of SEH-based exploitation of this vulnerability. ↗
- →The exploit sends a large padding block (rand_text_alphanumeric(1000) * 25) after the SEH record to force a stack exception — look for anomalously large TCP payloads (~25,000+ bytes) to port 5555 on OmniInet hosts. ↗
- →The exploit fingerprints the service by sending 64 random bytes and parsing the banner for 'HP Data Protector', 'HP OpenView Storage Data Protector', or 'HP StorageWorks Application Recovery Manager' — monitor for such short probe connections to port 5555 immediately preceding a large MSG_PROTOCOL packet. ↗
- →There are two consecutive wcscpy() calls exploitable in OmniInet.exe; CVE-2009-3844 specifically targets the second one. Detection should focus on the second argument field in the MSG_PROTOCOL packet being oversized. ↗
- ·The Metasploit module targets specific OmniInet.exe build versions with hardcoded RET addresses (p/p/r gadgets); the exploit will fail or crash the service against unrecognized builds. Defenders should note that versions 6.11 and above are reported as Safe by the module's check routine. ↗
- ·The payload space is constrained to 4658 bytes with null bytes as bad characters; shellcode must avoid \x00 to prevent premature string termination in the wcscpy() overflow path. ↗
- ·The exploit uses EXITFUNC=seh (structured exception handler exit), meaning the process may not cleanly terminate after exploitation — forensic analysis should account for a potentially unstable or crashed OmniInet.exe process post-exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-55gv-fhr4-h6v5: Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5
ghsa_unreviewed·2022-05-02
CVE-2009-3844 [HIGH] CWE-119 GHSA-55gv-fhr4-h6v5: Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5
Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5.50 and 6.0 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted MSG_PROTOCOL packet.
GHSA
GHSA-98xx-c784-66x3: Stack-based buffer overflow in OmniInet
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-2280 [CRITICAL] CWE-119 GHSA-98xx-c784-66x3: Stack-based buffer overflow in OmniInet
Stack-based buffer overflow in OmniInet.exe (aka the backup client service daemon) in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via an MSG_PROTOCOL command with long arguments, a different vulnerability than CVE-2009-3844.
No detection rules found.
Exploit-DB
HP - 'OmniInet.exe' MSG_PROTOCOL Buffer Overflow (Metasploit) (1)
exploitdb·2010-09-20
CVE-2009-3844 HP - 'OmniInet.exe' MSG_PROTOCOL Buffer Overflow (Metasploit) (1)
HP - 'OmniInet.exe' MSG_PROTOCOL Buffer Overflow (Metasploit) (1)
---
##
# $Id: hp_omniinet_2.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HP OmniInet.exe MSG_PROTOCOL Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Hewlett-Packard
OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b)
packet, a remote attacker may be able to execute arbitrary code with elevated
privileges.
This service is installed with HP OpenView Data Protector
Exploit-DB
HP Application Recovery Manager - 'OmniInet.exe' Remote Buffer Overflow
exploitdb·2009-12-26
CVE-2009-3844 HP Application Recovery Manager - 'OmniInet.exe' Remote Buffer Overflow
HP Application Recovery Manager - 'OmniInet.exe' Remote Buffer Overflow
---
class Metasploit3 'HP Application Recovery Manager (OmniInet.exe) Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in HP Application Recovery Manager OmniInet daemon.
By sending a specially crafted MSG_PROTOCOL packet, a remote attacker may be able to execute arbitrary code.
},
'Author' => 'EgiX ',
'References' =>
[
[ 'CVE', '2009-3884' ],
[ 'BID', '37250' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-091' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 4658,
'BadChars' => '\x00',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0x004412ed } ], # OmniInet.exe pop ecx; pop ecx; ret
],
'DefaultTarget' =>
Metasploit
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
metasploit
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
HP OmniInet.exe MSG_PROTOCOL Buffer Overflow
This module exploits a stack-based buffer overflow in the Hewlett-Packard OmniInet NT Service. By sending a specially crafted MSG_PROTOCOL (0x010b) packet, a remote attacker may be able to execute arbitrary code with elevated privileges. This service is installed with HP OpenView Data Protector, HP Application Recovery Manager and potentially other products. This exploit has been tested against versions 6.1, 6.0, and 5.50 of Data Protector. and versions 6.0 and 6.1 of Application Recovery Manager. NOTE: There are actually two consecutive wcscpy() calls in the program (which may be why ZDI considered them two separate issues). However, this module only exploits the second one.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=126029001704529&w=2http://secunia.com/advisories/37600http://securitytracker.com/id?1023288http://www.securityfocus.com/archive/1/508329/100/0/threadedhttp://www.securityfocus.com/bid/37250http://www.vupen.com/english/advisories/2009/3454http://zerodayinitiative.com/advisories/ZDI-09-091/https://exchange.xforce.ibmcloud.com/vulnerabilities/54638http://marc.info/?l=bugtraq&m=126029001704529&w=2http://secunia.com/advisories/37600http://securitytracker.com/id?1023288http://www.securityfocus.com/archive/1/508329/100/0/threadedhttp://www.securityfocus.com/bid/37250http://www.vupen.com/english/advisories/2009/3454http://zerodayinitiative.com/advisories/ZDI-09-091/https://exchange.xforce.ibmcloud.com/vulnerabilities/54638
2009-12-08
Published