cbcvebase.
CVE-2009-4265
published 2009-12-10

CVE-2009-4265: Stack-based buffer overflow in Ideal Administration 2009 9.7.1, and possibly other versions, allows remote attackers to execute arbitrary code via a long…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.39%
98.1th percentile
Stack-based buffer overflow in Ideal Administration 2009 9.7.1, and possibly other versions, allows remote attackers to execute arbitrary code via a long Computer value in an .ipj project file.

Affected

1 ranges
VendorProductVersion rangeFixed in
pointdevideal_administration_2009

Detection & IOCsextracted from sources · hover to see the quote

filenameunIDEAL.ipj
filenamemsf.ipj
otherRET 0x10010F2E (CALL EBP in ListWmi.dll)
otherRET 0x7C9DBF33 (JMP ESP in SHELL32.DLL XPSP3)
otherRET 0x7c96bf33 (JMP ESP in ULMigration_us.dll)
otherRET 0x77f31d2f (JMP ESP)
bytes
0D 0A 5B 45 6E 64 5D 0D 0A
  • Malicious .ipj file contains the pattern '[Group,Export,Yes]' header followed by an oversized 'Computer=' value (2420+ bytes) triggering a stack buffer overflow.
  • Bad characters for payload encoding in this exploit are: 0x00, 0x0a, 0x1a, 0x22, 0x3c, 0x3e — useful for tuning IDS/YARA rules to match encoded shellcode patterns in .ipj files.
  • EXITFUNC is set to 'seh' in all exploit variants, indicating SEH-based shellcode execution; monitor for SEH chain overwrites in processes loading ListWmi.dll or ULMigration_us.dll.
  • Stack adjustment of -3500 bytes is used in the exploit payload; anomalous large negative stack adjustments in the context of .ipj file parsing may indicate exploitation.
  • ·IDEAL Administration 10.5 is compiled with /SafeSEH, which mitigates the SEH-based exploitation path used by these exploits; detection rules targeting SEH overwrites may not fire on 10.5.
  • ·All versions of IDEAL Administration (v9.7 through v10.5) and IDEAL Migration (4.5 and 4.51) are considered vulnerable; version-based filtering alone is insufficient for detection.
  • ·The exploit is file-format/local in nature — it requires the victim to open a crafted .ipj project file via 'Migrate -> Open Migration Project'; there is no network-based attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.