cbcvebase.
CVE-2009-4462
published 2009-12-30

CVE-2009-4462: Stack-based buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.86%
97.1th percentile
Stack-based buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute arbitrary code via a long hn (hostname) parameter in a crafted HICP-protocol UDP packet.

Affected

1 ranges
VendorProductVersion rangeFixed in
intellicomnetbiterconfig

Detection & IOCsextracted from sources · hover to see the quote

filenameNetBiterConfig.exe
port3250/UDP
commandprotocol version = 1.10; fb type = EVIL-DEVICE; module version = 0.66.6; mac = 00-30-11-00-BA-CA; ip = 192.168.1.52; sn = 255.255.255.0; gw = 192.168.1.1; dhcp = off; pswd = off; hn = AAAA...0x60 bytes...; dns1 = 192.168.1.33;
filenamehicp.dll
  • Monitor for UDP packets on port 3250 containing an 'hn =' field with a hostname value exceeding 32 bytes (0x20), particularly payloads of 96 bytes (0x60) or more in the hn parameter, which triggers the stack overwrite in NetBiterConfig.exe.
  • Detect HICP-protocol UDP broadcast packets on port 3250 containing the string 'Module Scan' (network scan activity) or 'Configure:' prefix (configuration attempt), as these indicate active HICP protocol usage which is the attack vector.
  • The vulnerable strcpy call is at address 0x00403E60 in NetBiterConfig.exe 1.3.0; the destination buffer is at [ebp-0x3CCh] and the source (attacker-controlled hostname) is at [ebp-0xABh]. Use this for memory forensics or debugger-based detection.
  • The exploit is triggered client-side when the administrator double-clicks the list box item after receiving the malicious HICP response packet; detection should also cover the crafted UDP response spoofing a NetBiter device.
  • HICP packets originating from outside the local network segment targeting port 3250/UDP should be treated as suspicious, as the protocol is designed for LAN-only device configuration.
  • ·The default password for HICP-managed devices is 'admin', and the firmware contains hardcoded passwords, significantly lowering the bar for unauthorized configuration changes.
  • ·The vulnerability only affects NetBiterConfig.exe (uses strcpy); the related HMS AnybusIPconfig.exe tool is NOT vulnerable as it uses strncpy with an 0x80-byte bound.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.