CVE-2009-4006
published 2009-11-20CVE-2009-4006: Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote…
PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
82.93%
99.6th percentile
Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploit attempts by inspecting HTTP POST requests for a 'Cookie: Session=_' header followed by an abnormally long hexadecimal string (75,000+ characters). ↗
- →Fingerprint vulnerable Serv-U instances via the HTTP Server response header 'Server: Serv-U/9.0.0.5'; versions before 9.1.0.0 are affected. ↗
- →The exploit sends a specially crafted POST request with an overly long session cookie string; alert on HTTP POST bodies to Serv-U with Cookie headers exceeding normal length thresholds. ↗
- →Bad characters used in payload construction can help tune IDS signatures: null bytes and common URL metacharacters are avoided, meaning the cookie value will be a long hex string free of: 0x00, 0x3a, 0x26, 0x3f, 0x25, 0x23, 0x20, 0x0a, 0x0d, 0x2f, 0x2b, 0x0b, 0x5c. ↗
- ·The CVE association in the Metasploit module is marked as uncertain ('# unsure'), so correlation with CVE-2009-4006 should be treated with moderate confidence. ↗
- ·The exploit uses EXITFUNC=thread by default, meaning the server process may survive exploitation; process-crash-based detection may not fire. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)
exploitdb·2010-03-10
CVE-2009-4006 RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)
RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)
---
##
# $Id: servu_session_cookie.rb 8762 2010-03-10 05:58:01Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Rhinosoft Serv-U Session Cookie Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5.
Sending a specially crafted POST request with an overly long session cookie
string, an attacker may be able to execute arbitrary code.
},
'Author' =>
[
'Nikolas Rangos ',
'M.Yanagishita ',
'jduck'
],
'License' =>
Metasploit
Rhinosoft Serv-U Session Cookie Buffer Overflow
metasploit
Rhinosoft Serv-U Session Cookie Buffer Overflow
Rhinosoft Serv-U Session Cookie Buffer Overflow
This module exploits a buffer overflow in Rhinosoft Serv-U 9.0.0.5. Sending a specially crafted POST request with an overly long session cookie string, an attacker may be able to execute arbitrary code.
Talos
Rule release for today - January 27th 2009
blogs_talos·2009-01-27·CVSS 10.0
CVE-2008-4006 [CRITICAL] Rule release for today - January 27th 2009
## Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released:
Oracle Secure Backup Command Injection (CVE-2008-4006) Oracle BPEL Injection (CVE-2008-4014) Oracle Secure Backup Command Injection (CVE-2008-5440) Oracle Secure Backup Buffer Overflow (CVE-2008-5444) Oracle Secure Backup Command Injection (CVE-2008-5448) Oracle Secure Backup Command Injection (CVE-2008-5449) Oracle BEA WebLogic Denial of Service (CVE-2008-5457)
More details can be found here: http://www.snort.org/vrt/advisories/vrt-rules-2009-01-27.html
Talos
Rule release for today - January 27th 2009
blogs_talos·2009-01-27·CVSS 10.0
CVE-2008-4006 [CRITICAL] Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released:
Oracle Secure Backup Command Injection (CVE-2008-4006)
Oracle BPEL Injection (CVE-2008-4014)
Oracle Secure Backup Command Injection (CVE-2008-5440)
Oracle Secure Backup Buffer Overflow (CVE-2008-5444)
Oracle Secure Backup Command Injection (CVE-2008-5448)
Oracle Secure Backup Command Injection (CVE-2008-5449)
Oracle BEA WebLogic Denial of Service (CVE-2008-5457)
More details can be found here: http://www.snort.org/vrt/advisories/vrt-rules-2009-01-27.html
http://secunia.com/advisories/37228http://secunia.com/secunia_research/2009-46/http://www.osvdb.org/60427http://www.securityfocus.com/archive/1/507955/100/0/threadedhttp://www.securityfocus.com/bid/37051http://www.securitytracker.com/id?1023199http://www.serv-u.com/releasenotes/http://www.vupen.com/english/advisories/2009/3277https://exchange.xforce.ibmcloud.com/vulnerabilities/54322https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6142http://secunia.com/advisories/37228http://secunia.com/secunia_research/2009-46/http://www.osvdb.org/60427http://www.securityfocus.com/archive/1/507955/100/0/threadedhttp://www.securityfocus.com/bid/37051http://www.securitytracker.com/id?1023199http://www.serv-u.com/releasenotes/http://www.vupen.com/english/advisories/2009/3277https://exchange.xforce.ibmcloud.com/vulnerabilities/54322https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6142
2009-11-20
Published