cbcvebase.
CVE-2009-4006
published 2009-11-20

CVE-2009-4006: Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
82.93%
99.6th percentile
Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string.

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server

Detection & IOCsextracted from sources · hover to see the quote

cookieSession=_<overly long hexadecimal string>
commandPOST / HTTP/1.1 with oversized Session cookie
versionServ-U/9.0.0.5
  • Detect exploit attempts by inspecting HTTP POST requests for a 'Cookie: Session=_' header followed by an abnormally long hexadecimal string (75,000+ characters).
  • Fingerprint vulnerable Serv-U instances via the HTTP Server response header 'Server: Serv-U/9.0.0.5'; versions before 9.1.0.0 are affected.
  • The exploit sends a specially crafted POST request with an overly long session cookie string; alert on HTTP POST bodies to Serv-U with Cookie headers exceeding normal length thresholds.
  • Bad characters used in payload construction can help tune IDS signatures: null bytes and common URL metacharacters are avoided, meaning the cookie value will be a long hex string free of: 0x00, 0x3a, 0x26, 0x3f, 0x25, 0x23, 0x20, 0x0a, 0x0d, 0x2f, 0x2b, 0x0b, 0x5c.
  • ·The CVE association in the Metasploit module is marked as uncertain ('# unsure'), so correlation with CVE-2009-4006 should be treated with moderate confidence.
  • ·The exploit uses EXITFUNC=thread by default, meaning the server process may survive exploitation; process-crash-based detection may not fire.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.