cbcvebase.
CVE-2009-3844
published 2009-12-08

CVE-2009-3844: Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5.50 and 6.0 allows remote attackers to execute…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.06%
99.4th percentile
Stack-based buffer overflow in the OmniInet process in HP OpenView Data Protector Application Recovery Manager 5.50 and 6.0 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted MSG_PROTOCOL packet.

Affected

4 ranges
VendorProductVersion rangeFixed in
hpopenview_data_protector_application_recovery_manager
hpopenview_data_protector_application_recovery_manager
hpopenview_storage_data_protector
hpopenview_storage_data_protector

Detection & IOCsextracted from sources · hover to see the quote

port5555
processOmniInet.exe
commandMSG_PROTOCOL 267
other0x004406cf
other0x0044327d
other0x004280ff
other0x004412ed
bytes
\xff\xfe\x32\x00\x36\x00\x37\x00
bytes
\x00\x00\x12\x67
bytes
\x00\x00\x20\x00
  • Detect exploit attempts by monitoring TCP port 5555 for MSG_PROTOCOL packets beginning with the Unicode BOM (0xFF 0xFE) followed by the Unicode-encoded string '267', with multiple 0x00002000 separators — this is the crafted packet structure used to trigger the wcscpy() overflow in OmniInet.exe.
  • Alert on oversized packets to TCP/5555 targeting OmniInet.exe that contain SEH chain overwrites (structured exception handler records appended after payload), followed by a backward JMP shellcode stub — characteristic of SEH-based exploitation of this vulnerability.
  • The exploit sends a large padding block (rand_text_alphanumeric(1000) * 25) after the SEH record to force a stack exception — look for anomalously large TCP payloads (~25,000+ bytes) to port 5555 on OmniInet hosts.
  • The exploit fingerprints the service by sending 64 random bytes and parsing the banner for 'HP Data Protector', 'HP OpenView Storage Data Protector', or 'HP StorageWorks Application Recovery Manager' — monitor for such short probe connections to port 5555 immediately preceding a large MSG_PROTOCOL packet.
  • There are two consecutive wcscpy() calls exploitable in OmniInet.exe; CVE-2009-3844 specifically targets the second one. Detection should focus on the second argument field in the MSG_PROTOCOL packet being oversized.
  • ·The Metasploit module targets specific OmniInet.exe build versions with hardcoded RET addresses (p/p/r gadgets); the exploit will fail or crash the service against unrecognized builds. Defenders should note that versions 6.11 and above are reported as Safe by the module's check routine.
  • ·The payload space is constrained to 4658 bytes with null bytes as bad characters; shellcode must avoid \x00 to prevent premature string termination in the wcscpy() overflow path.
  • ·The exploit uses EXITFUNC=seh (structured exception handler exit), meaning the process may not cleanly terminate after exploitation — forensic analysis should account for a potentially unstable or crashed OmniInet.exe process post-exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.