CVE-2009-4462
published 2009-12-30CVE-2009-4462: Stack-based buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
19.86%
97.1th percentile
Stack-based buffer overflow in the NetBiterConfig utility (NetBiterConfig.exe) 1.3.0 for Intellicom NetBiter WebSCADA allows remote attackers to execute arbitrary code via a long hn (hostname) parameter in a crafted HICP-protocol UDP packet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intellicom | netbiterconfig | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandprotocol version = 1.10; fb type = EVIL-DEVICE; module version = 0.66.6; mac = 00-30-11-00-BA-CA; ip = 192.168.1.52; sn = 255.255.255.0; gw = 192.168.1.1; dhcp = off; pswd = off; hn = AAAA...0x60 bytes...; dns1 = 192.168.1.33;↗
- →Monitor for UDP packets on port 3250 containing an 'hn =' field with a hostname value exceeding 32 bytes (0x20), particularly payloads of 96 bytes (0x60) or more in the hn parameter, which triggers the stack overwrite in NetBiterConfig.exe. ↗
- →Detect HICP-protocol UDP broadcast packets on port 3250 containing the string 'Module Scan' (network scan activity) or 'Configure:' prefix (configuration attempt), as these indicate active HICP protocol usage which is the attack vector. ↗
- →The vulnerable strcpy call is at address 0x00403E60 in NetBiterConfig.exe 1.3.0; the destination buffer is at [ebp-0x3CCh] and the source (attacker-controlled hostname) is at [ebp-0xABh]. Use this for memory forensics or debugger-based detection. ↗
- →The exploit is triggered client-side when the administrator double-clicks the list box item after receiving the malicious HICP response packet; detection should also cover the crafted UDP response spoofing a NetBiter device. ↗
- →HICP packets originating from outside the local network segment targeting port 3250/UDP should be treated as suspicious, as the protocol is designed for LAN-only device configuration. ↗
- ·The default password for HICP-managed devices is 'admin', and the firmware contains hardcoded passwords, significantly lowering the bar for unauthorized configuration changes. ↗
- ·The vulnerability only affects NetBiterConfig.exe (uses strcpy); the related HMS AnybusIPconfig.exe tool is NOT vulnerable as it uses strncpy with an 0x80-byte bound. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HMS HICP Protocol + Intellicom - 'NetBiterConfig.exe' Remote Buffer Overflow
exploitdb·2009-12-14
CVE-2009-4462 HMS HICP Protocol + Intellicom - 'NetBiterConfig.exe' Remote Buffer Overflow
HMS HICP Protocol + Intellicom - 'NetBiterConfig.exe' Remote Buffer Overflow
---
More info
http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1
1st PART "HMS HICP Protocol"
AFAIK there is no public documentation about this protocol, if not so
please let me know and I'll repeatedly hit myself with a sharpened
stick.All the information presented here has been obviously obtained by
reverse engineering.
Despite of the fact that this protocol is not complex,I think it has a
potential interest regarding SCADA security.You'll see why.
HICP, is intented to configure HMS's products that include ethernet/
capabilities, since they need a method for configuring Internal
IP,DCHP,NetworkMask,DNS,gateway.... In 2004 HMS released a free tool
named "Anybus IPconfig" which can b
Exploit-DB
Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow (PoC)
exploitdb·2009-12-14
CVE-2009-4462 Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow (PoC)
Intellicom 1.3 - 'NetBiterConfig.exe Hostname' Data Remote Stack Buffer Overflow (PoC)
---
#!/usr/bin/python
#
#source: https://www.securityfocus.com/bid/37325/info
#
#Intellicom 'NetBiterConfig.exe' is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
#
#Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
#
# Intellicom NetBiterConfig.exe 1.3.0 Remote Stack Overwrite.
# Ruben Santamarta - www.reversemode.com
# For research purposes ONLY.
# If you use this code to cause damage I’ll cut you open like a f***ing pig.
import sys
import socket
s = socket.socket(socket.A
No writeups or analysis indexed.
http://blog.48bits.com/2009/12/12/exposing-hms-hicp-protocol-0day-light/http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1http://support.intellicom.se/getfile.cfm?FID=150&FPID=85http://www.kb.cert.org/vuls/id/181737http://www.securityfocus.com/archive/1/508449/100/0/threadedhttp://www.securityfocus.com/bid/37325http://www.vupen.com/english/advisories/2009/3542http://blog.48bits.com/2009/12/12/exposing-hms-hicp-protocol-0day-light/http://reversemode.com/index.php?option=com_content&task=view&id=65&Itemid=1http://support.intellicom.se/getfile.cfm?FID=150&FPID=85http://www.kb.cert.org/vuls/id/181737http://www.securityfocus.com/archive/1/508449/100/0/threadedhttp://www.securityfocus.com/bid/37325http://www.vupen.com/english/advisories/2009/3542
2009-12-30
Published