cbcvebase.
CVE-2005-0478
published 2005-03-30

CVE-2005-0478: Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an…

PriorityP342medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
65.36%
99.2th percentile
Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script.

Affected

1 ranges
VendorProductVersion rangeFixed in
trackercamtrackercam<= 5.12

Detection & IOCsextracted from sources · hover to see the quote

port8090
url/tuner/ComGetLogFile.php3
url/tuner/TunerGuide.php3
path/tuner/ComGetLogFile.php3?fn=../HTTPRoot/socket.php3
commandGET /tuner/TunerGuide.php3?userID=<8192-byte overflow buffer with SEH payload at offset 257>
otherReturn address Windows 2000 English: 0x75022ac4 (ws2help.dll)
otherReturn address Windows XP English SP0/SP1: 0x71aa32ad (ws2help.dll)
otherReturn address Windows NT 4.0 SP4/SP5/SP6: 0x77681799 (ws2help.dll)
processEyeWD.exe
bytes
BadChars: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c
  • Detect directory traversal probe to /tuner/ComGetLogFile.php3 with fn= parameter containing '../' sequences — used by attacker to fingerprint the installation and read arbitrary files (e.g., boot.ini).
  • Detect HTTP requests to /tuner/TunerGuide.php3 with an oversized userID parameter (>257 bytes) as the exploit trigger for the stack buffer overflow.
  • Check response body for 'fsockopen' string when querying ComGetLogFile.php3 — this is the exploit's own vulnerability confirmation check.
  • The exploit uses an SEH (Structured Exception Handler) overwrite at offset 257 within an 8192-byte buffer; alert on anomalously large GET query strings to TrackerCam PHP endpoints on port 8090.
  • The overflow also applies to a long User-Agent header in HTTP requests to TrackerCam 5.12 and earlier; monitor for abnormally long User-Agent strings targeting port 8090.
  • ·Windows XP SP2 and Windows 2003 are explicitly NOT supported by the Metasploit module; no reliable return address is available for those targets.
  • ·CPS.dll is excluded as a return address source because its base address shifts between process instances (ASLR-like behaviour).
  • ·The directory traversal fingerprinting step requires TrackerCam to be installed on the C: drive; non-C: installations cannot be fingerprinted by this module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.