CVE-2005-0478
published 2005-03-30CVE-2005-0478: Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an…
PriorityP342medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
65.36%
99.2th percentile
Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trackercam | trackercam | <= 5.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandGET /tuner/TunerGuide.php3?userID=<8192-byte overflow buffer with SEH payload at offset 257>↗
bytes↗
BadChars: \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c
- →Detect directory traversal probe to /tuner/ComGetLogFile.php3 with fn= parameter containing '../' sequences — used by attacker to fingerprint the installation and read arbitrary files (e.g., boot.ini). ↗
- →Detect HTTP requests to /tuner/TunerGuide.php3 with an oversized userID parameter (>257 bytes) as the exploit trigger for the stack buffer overflow. ↗
- →Check response body for 'fsockopen' string when querying ComGetLogFile.php3 — this is the exploit's own vulnerability confirmation check. ↗
- →The exploit uses an SEH (Structured Exception Handler) overwrite at offset 257 within an 8192-byte buffer; alert on anomalously large GET query strings to TrackerCam PHP endpoints on port 8090. ↗
- →The overflow also applies to a long User-Agent header in HTTP requests to TrackerCam 5.12 and earlier; monitor for abnormally long User-Agent strings targeting port 8090. ↗
- ·Windows XP SP2 and Windows 2003 are explicitly NOT supported by the Metasploit module; no reliable return address is available for those targets. ↗
- ·CPS.dll is excluded as a return address source because its base address shifts between process instances (ASLR-like behaviour). ↗
- ·The directory traversal fingerprinting step requires TrackerCam to be installed on the C: drive; non-C: installations cannot be fingerprinted by this module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TrackerCam - PHP Argument Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0478 TrackerCam - PHP Argument Buffer Overflow (Metasploit)
TrackerCam - PHP Argument Buffer Overflow (Metasploit)
---
##
# $Id: trackercam_phparg_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TrackerCam PHP Argument Buffer Overflow',
'Description' => %q{
This module exploits a simple stack buffer overflow in the
TrackerCam web server. All current versions of this software
are vulnerable to a large number of security issues. This
module abuses the directory traversal flaw to gain
information about the system and then uses the PHP overflow
to execute ar
Metasploit
TrackerCam PHP Argument Buffer Overflow
metasploit
TrackerCam PHP Argument Buffer Overflow
TrackerCam PHP Argument Buffer Overflow
This module exploits a simple stack buffer overflow in the TrackerCam web server. All current versions of this software are vulnerable to a large number of security issues. This module abuses the directory traversal flaw to gain information about the system and then uses the PHP overflow to execute arbitrary code.
No writeups or analysis indexed.
http://www.securityfocus.com/archive/1/390918http://www.securityfocus.com/bid/12592https://exchange.xforce.ibmcloud.com/vulnerabilities/19409https://exchange.xforce.ibmcloud.com/vulnerabilities/19411http://www.securityfocus.com/archive/1/390918http://www.securityfocus.com/bid/12592https://exchange.xforce.ibmcloud.com/vulnerabilities/19409https://exchange.xforce.ibmcloud.com/vulnerabilities/19411
2005-03-30
Published