cbcvebase.
CVE-2009-4769
published 2010-04-20

CVE-2009-4769: Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code…

PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.90%
98.4th percentile
Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote authenticated users to execute arbitrary code via format string specifiers in a PWD command to the FTP server component.

Affected

5 ranges
VendorProductVersion rangeFixed in
jasperhttpdx
jasperhttpdx
jasperhttpdx
jasperhttpdx
jasperhttpdx

Detection & IOCsextracted from sources · hover to see the quote

commandPWD <format_string_specifiers>
  • Detect format string specifiers (e.g., %n, %x, %s) in HTTP GET request URIs targeting httpdx HTTP server when logging is enabled — the vulnerable path is logged via tolog() in http.cpp.
  • Detect format string specifiers in FTP PWD commands sent to httpdx FTP server; the command string is passed unsanitized to tolog() via snprintf in ftp.cpp.
  • Fingerprint vulnerable httpdx versions by matching the HTTP/FTP banner pattern 'httpdx/<version> (Win32)'; versions 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 are confirmed vulnerable.
  • Monitor FTP logins using the default credential pair 'moderator'/'pass123' against httpdx FTP service on port 21, as logging is enabled by default for this user, making it the primary exploitation vector.
  • In HTTP exploitation, an empty Host header is used to maximize buffer space; alert on HTTP GET requests with an empty Host header containing format specifiers in the URI.
  • The exploit uses an egghunter shellcode technique; look for repeated egg marker patterns in network traffic or memory when investigating httpdx compromise.
  • Bad characters for the HTTP exploit payload include null byte, LF, CR, %, /, ?, and backslash — format string payloads in URIs will avoid these characters; detection should account for URL-encoded variants (%25 for %, %20 for space).
  • ·HTTP logging is OFF by default in httpdx; the HTTP attack vector only works if logging has been explicitly enabled by the administrator.
  • ·FTP exploitation requires authentication as the 'moderator' user (default password 'pass123'); the vulnerability is triggered via the PWD command after login.
  • ·The hardcoded ROP/write addresses (Writable: 0x64f87810, FlowHook: 0x64f870e8) are specific to core.dll on Windows XP SP3 English; exploitation on other OS versions or service packs will require different offsets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.