CVE-2009-3699

IBM VIOS < 2.1.0 and AIX 5.x-6.1.3 - Remote Code Execution via Long XDR String in rpc.cmsd

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-3699. PoCs published by Metasploit, Rodrigo Rubira Branco (BSDaemon), jduck, including Metasploit module exploits/aix/rpc_cmsd_opcode21.

AI-analyzed exploit summary This Metasploit module exploits a stack-based buffer overflow in the AIX Calendar Manager Service Daemon (rpc.cmsd) via opcode 21. It achieves arbitrary code execution by sending a maliciously crafted RPC request with an overly long string to the 'rtable_create' function.

Description

Stack-based buffer overflow in libcsa.a (aka the calendar daemon library) in IBM AIX 5.x through 5.3.10 and 6.x through 6.1.3, and VIOS 2.1 and earlier, allows remote attackers to execute arbitrary code via a long XDR string in the first argument to procedure 21 of rpc.cmsd.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubydosaix
https://www.exploit-db.com/exploits/16929

This Metasploit module exploits a stack-based buffer overflow in the AIX Calendar Manager Service Daemon (rpc.cmsd) via opcode 21. It achieves arbitrary code execution by sending a maliciously crafted RPC request with an overly long string to the 'rtable_create' function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: IBM AIX Calendar Manager Service Daemon (rpc.cmsd) on AIX 5.1
No auth needed
Prerequisites: Network access to the target system · rpc.cmsd service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
by Rodrigo Rubira Branco (BSDaemon), jduck · rubypocaix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/aix/rpc_cmsd_opcode21.rb

This Metasploit module exploits a stack-based buffer overflow in the AIX Calendar Manager Service Daemon (rpc.cmsd) via opcode 21, leading to arbitrary code execution. It uses a brute-force approach to bypass memory randomization and includes heap spraying to address PowerPC cache issues.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: IBM AIX Calendar Manager Service Daemon (rpc.cmsd) on AIX 5.1
No auth needed
Prerequisites: Network access to the target system · rpc.cmsd service running on UDP port 100068
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2846
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62237
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62570
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ61628
Patch third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62569
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/53681
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1022996
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62571
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62123
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62672
Vendor Advisory vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ62572
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36978
Various Sources vendor-advisory x_refsource_aixapar
http://www.ibm.com/support/docview.wss?uid=isg1IZ61717
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/58726
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36615

Scores

EPSS 0.6209
EPSS Percentile 99.1%

Details

CWE
CWE-119
Status published
Products (30)
ibm/aix 5
ibm/aix 5.1
ibm/aix 5.1.0.10
ibm/aix 5.1l
ibm/aix 5.2
ibm/aix 5.2.0
ibm/aix 5.2.0.50
ibm/aix 5.2.0.54
ibm/aix 5.2.2
ibm/aix 5.2_l
... and 20 more
Published Oct 15, 2009
Tracked Since Feb 18, 2026