CVE-2009-4769
published 2010-04-20CVE-2009-4769: Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.90%
98.4th percentile
Multiple format string vulnerabilities in the tolog function in httpdx 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 allow (1) remote attackers to execute arbitrary code via format string specifiers in a GET request to the HTTP server component when logging is enabled, and allow (2) remote authenticated users to execute arbitrary code via format string specifiers in a PWD command to the FTP server component.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jasper | httpdx | — | — |
| jasper | httpdx | — | — |
| jasper | httpdx | — | — |
| jasper | httpdx | — | — |
| jasper | httpdx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect format string specifiers (e.g., %n, %x, %s) in HTTP GET request URIs targeting httpdx HTTP server when logging is enabled — the vulnerable path is logged via tolog() in http.cpp. ↗
- →Detect format string specifiers in FTP PWD commands sent to httpdx FTP server; the command string is passed unsanitized to tolog() via snprintf in ftp.cpp. ↗
- →Fingerprint vulnerable httpdx versions by matching the HTTP/FTP banner pattern 'httpdx/<version> (Win32)'; versions 1.4, 1.4.5, 1.4.6, 1.4.6b, and 1.5 are confirmed vulnerable. ↗
- →Monitor FTP logins using the default credential pair 'moderator'/'pass123' against httpdx FTP service on port 21, as logging is enabled by default for this user, making it the primary exploitation vector. ↗
- →In HTTP exploitation, an empty Host header is used to maximize buffer space; alert on HTTP GET requests with an empty Host header containing format specifiers in the URI. ↗
- →The exploit uses an egghunter shellcode technique; look for repeated egg marker patterns in network traffic or memory when investigating httpdx compromise. ↗
- →Bad characters for the HTTP exploit payload include null byte, LF, CR, %, /, ?, and backslash — format string payloads in URIs will avoid these characters; detection should account for URL-encoded variants (%25 for %, %20 for space). ↗
- ·HTTP logging is OFF by default in httpdx; the HTTP attack vector only works if logging has been explicitly enabled by the administrator. ↗
- ·FTP exploitation requires authentication as the 'moderator' user (default password 'pass123'); the vulnerability is triggered via the PWD command after login. ↗
- ·The hardcoded ROP/write addresses (Writable: 0x64f87810, FlowHook: 0x64f870e8) are specific to core.dll on Windows XP SP3 English; exploitation on other OS versions or service packs will require different offsets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
httpdx - 'tolog()' Format String (Metasploit) (2)
exploitdb·2010-08-25
CVE-2009-4769 httpdx - 'tolog()' Format String (Metasploit) (2)
httpdx - 'tolog()' Format String (Metasploit) (2)
---
##
# $Id: httpdx_tolog_format.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HTTPDX tolog() Function Format String Vulnerability',
'Description' => %q{
This module exploits a format string vulnerability in HTTPDX HTTP server.
By sending an specially crafted HTTP request containing format specifiers, an
attacker can corrupt memory and execute arbitrary code.
By default logging is off for HTTP, but enabled for the 'moderator' user
via FTP.
},
'Author
Exploit-DB
httpdx - 'tolog()' Format String (Metasploit) (1)
exploitdb·2010-08-25
CVE-2009-4769 httpdx - 'tolog()' Format String (Metasploit) (1)
httpdx - 'tolog()' Format String (Metasploit) (1)
---
##
# $Id: httpdx_tolog_format.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HTTPDX tolog() Function Format String Vulnerability',
'Description' => %q{
This module exploits a format string vulnerability in HTTPDX FTP server.
By sending an specially crafted FTP command containing format specifiers, an
attacker can corrupt memory and execute arbitrary code.
By default logging is off for HTTP, but enabled for the 'moderator' user
via FTP.
},
'Author'
Metasploit
HTTPDX tolog() Function Format String Vulnerability
metasploit
HTTPDX tolog() Function Format String Vulnerability
HTTPDX tolog() Function Format String Vulnerability
This module exploits a format string vulnerability in HTTPDX FTP server. By sending a specially crafted FTP command containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
Metasploit
HTTPDX tolog() Function Format String Vulnerability
metasploit
HTTPDX tolog() Function Format String Vulnerability
HTTPDX tolog() Function Format String Vulnerability
This module exploits a format string vulnerability in HTTPDX HTTP server. By sending a specially crafted HTTP request containing format specifiers, an attacker can corrupt memory and execute arbitrary code. By default logging is off for HTTP, but enabled for the 'moderator' user via FTP.
No writeups or analysis indexed.
http://osvdb.org/60181http://osvdb.org/60182http://www.metasploit.com/redmine/projects/framework/repository/revisions/7569/entry/modules/exploits/windows/ftp/httpdx_tolog_format.rbhttp://www.metasploit.com/redmine/projects/framework/repository/revisions/7569/entry/modules/exploits/windows/http/httpdx_tolog_format.rbhttp://www.vupen.com/english/advisories/2009/3312http://osvdb.org/60181http://osvdb.org/60182http://www.metasploit.com/redmine/projects/framework/repository/revisions/7569/entry/modules/exploits/windows/ftp/httpdx_tolog_format.rbhttp://www.metasploit.com/redmine/projects/framework/repository/revisions/7569/entry/modules/exploits/windows/http/httpdx_tolog_format.rbhttp://www.vupen.com/english/advisories/2009/3312
2010-04-20
Published