CVE-2009-3999
published 2010-01-20CVE-2009-3999: Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.61%
99.3th percentile
Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long fileName parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | power_manager | <= 4.2.9 | — |
| hp | power_manager | — | — |
| hp | power_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /goform/formExportDataLogs with an abnormally long 'fileName' parameter (offset 721 bytes before overflow) as the exploit trigger. ↗
- →Look for POST requests to /goform/formExportDataLogs containing the specific form fields: dataFormat=comma, exportto=file, actionType=1%3B alongside an oversized fileName value. ↗
- →The exploit uses an egghunter shellcode technique with the BufferRegister set to EDI; look for JMP EDI patterns in shellcode delivered via the Accept header alongside the POST body. ↗
- →The egghunter payload is placed in the HTTP Accept header of the exploit request; anomalous binary/encoded data in the Accept header paired with a POST to /goform/formExportDataLogs is a strong indicator. ↗
- →The Referer header value 'http://{host}/Contents/exportLogs.asp?logType=Application' is hardcoded in the exploit; its presence alongside a malformed POST to formExportDataLogs is suspicious. ↗
- →Exploitation results in code execution under SYSTEM context via DevManBE.exe; monitor for unexpected child processes or network connections spawned from DevManBE.exe. ↗
- ·The ROP/return address 0x004174d5 (pop esi / pop ebx / ret 10) is specific to DevManBE.exe as shipped with HP Power Manager 4.2 builds 7 and 9 on Windows XP SP3 / Windows Server 2003 SP0; different builds or OS versions will require a different return address. ↗
- ·The overflow offset is 721 bytes; this value is specific to the vulnerable HP Power Manager build and may differ across versions. ↗
- ·The exploit default exit function is 'thread', meaning the exploit attempts to exit cleanly by terminating only the handler thread rather than the whole process, which affects post-exploitation stability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)
exploitdb·2011-10-20
CVE-2009-3999 HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)
HP Power Manager - 'formExportDataLogs' Remote Buffer Overflow (Metasploit)
---
##
# $Id: hp_power_manager_filename.rb 14016 2011-10-20 17:40:21Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "HP Power Manager 'formExportDataLogs' Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'.
By creating a malformed request specifically for the fileName parameter, a stack-based
buffer overflow occurs due to a long error message (which contains the fileName),
which may resu
Metasploit
HP Power Manager 'formExportDataLogs' Buffer Overflow
metasploit
HP Power Manager 'formExportDataLogs' Buffer Overflow
HP Power Manager 'formExportDataLogs' Buffer Overflow
This module exploits a buffer overflow in HP Power Manager's 'formExportDataLogs'. By creating a malformed request specifically for the fileName parameter, a stack-based buffer overflow occurs due to a long error message (which contains the fileName), which may result in arbitrary remote code execution under the context of 'SYSTEM'.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=126393370331959&w=2http://secunia.com/advisories/37280http://secunia.com/secunia_research/2009-47/http://securityreason.com/securityalert/8482http://securitytracker.com/id?1023470http://www.securityfocus.com/bid/37867http://marc.info/?l=bugtraq&m=126393370331959&w=2http://secunia.com/advisories/37280http://secunia.com/secunia_research/2009-47/http://securityreason.com/securityalert/8482http://securitytracker.com/id?1023470http://www.securityfocus.com/bid/37867
2010-01-20
Published