cbcvebase.
CVE-2009-4873
published 2010-05-26

CVE-2009-4873: Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash)…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
20.55%
97.2th percentile
Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash) or execute arbitrary code via a long Session cookie.

Affected

1 ranges
VendorProductVersion rangeFixed in
rhinosoftserv-u

Detection & IOCsextracted from sources · hover to see the quote

cookieSession=_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb950754581406246bf8<oversized payload>
commandPOST / HTTP/1.1 with oversized Session cookie (~100000 bytes)
versionServ-U WebClient 9.0.0.5
processServ-U.exe
  • Detect HTTP POST requests to port 80 containing a 'Session' cookie value exceeding normal length (e.g., >1000 bytes), specifically prefixed with '_d838591b3a6257b0111138e6ca76c2c2409fb287b1473aa463db7f202caa09361bd7f8948c8d1adf4bd4f6c1c198eb9507545814'.
  • Alert on HTTP POST requests where the Cookie header contains both 'killmenothing' and an oversized 'Session=' field — this exact combination appears in both public exploit PoCs.
  • Monitor for the ROP gadget address 0x961ea378 (pop esi + ret from mfc90u.dll) in HTTP POST body payloads, used for DEP bypass on Windows 2003 R2 SP2.
  • Monitor for the ROP gadget address 0x4928b00f (add esp, 0x??? + ret) embedded within the Session cookie payload at offset (41000-62)*2+20.
  • Detect infinite loop shellcode stub 0xebfe (JMP $-2) embedded in HTTP POST payloads at offset 48 within the Session cookie field.
  • Flag HTTP POST requests with Content-Type 'multipart/form-data' and Content-Length of 0 combined with an abnormally large Cookie header — this is the exact request structure used by both PoC exploits.
  • ·The exploit targets port 80 (HTTP) specifically; if the Serv-U WebClient is configured on a non-standard port, detection rules must be adjusted accordingly.
  • ·The DEP bypass ROP chain (mfc90u.dll gadgets) is specific to Windows Server 2003 R2 SP2 fully patched; the exploit may behave differently or fail on other OS versions.
  • ·The recommended workaround is to disable the WebClient Service entirely and rely on FTP/SFTP components only, which eliminates the HTTP attack surface.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.