cbcvebase.
CVE-2009-3999
published 2010-01-20

CVE-2009-3999: Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long…

PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.61%
99.3th percentile
Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long fileName parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
hppower_manager<= 4.2.9
hppower_manager
hppower_manager

Detection & IOCsextracted from sources · hover to see the quote

url/goform/formExportDataLogs
path/goform/formExportDataLogs
processDevManBE.exe
urlhttp://{rhost}/Contents/exportLogs.asp?logType=Application
  • Detect HTTP POST requests to /goform/formExportDataLogs with an abnormally long 'fileName' parameter (offset 721 bytes before overflow) as the exploit trigger.
  • Look for POST requests to /goform/formExportDataLogs containing the specific form fields: dataFormat=comma, exportto=file, actionType=1%3B alongside an oversized fileName value.
  • The exploit uses an egghunter shellcode technique with the BufferRegister set to EDI; look for JMP EDI patterns in shellcode delivered via the Accept header alongside the POST body.
  • The egghunter payload is placed in the HTTP Accept header of the exploit request; anomalous binary/encoded data in the Accept header paired with a POST to /goform/formExportDataLogs is a strong indicator.
  • The Referer header value 'http://{host}/Contents/exportLogs.asp?logType=Application' is hardcoded in the exploit; its presence alongside a malformed POST to formExportDataLogs is suspicious.
  • Exploitation results in code execution under SYSTEM context via DevManBE.exe; monitor for unexpected child processes or network connections spawned from DevManBE.exe.
  • ·The ROP/return address 0x004174d5 (pop esi / pop ebx / ret 10) is specific to DevManBE.exe as shipped with HP Power Manager 4.2 builds 7 and 9 on Windows XP SP3 / Windows Server 2003 SP0; different builds or OS versions will require a different return address.
  • ·The overflow offset is 721 bytes; this value is specific to the vulnerable HP Power Manager build and may differ across versions.
  • ·The exploit default exit function is 'thread', meaning the exploit attempts to exit cleanly by terminating only the handler thread rather than the whole process, which affects post-exploitation stability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.