cbcvebase.
CVE-2005-0684
published 2005-04-25

CVE-2005-0684: Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a…

PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.50%
99.2th percentile
Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a long file parameter after a percent ("%") sign or (2) a long Lock-Token string to the WebDAV functionality, which is not properly handled by the getLockTokenHeader function in WDVHandler_CommonUtils.c.

Affected

10 ranges
VendorProductVersion rangeFixed in
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb
mysqlmaxdb

Detection & IOCsextracted from sources · hover to see the quote

port9999
url/%<buf>
otherSEH overwrite return address 0x1002aa19 (wapi.dll) for MaxDB 7.5.00.11 / 7.5.00.24
otherSEH overwrite return address 0x75022ac4 (ws2help.dll) for Windows 2000 English
otherSEH overwrite return address 0x71aa32ad (ws2help.dll) for Windows XP English SP0/SP1
otherSEH overwrite return address 0x7ffc0638 (PEB magic) for Windows 2003 English
otherSEH overwrite return address 0x77681799 (ws2help.dll) for Windows NT 4.0 SP4/SP5/SP6
pathC:\Program Files\sdb\programs\web\Documents
bytes
\xe9 + [-2052].pack('V') at offset 3638, \xeb\xf9 at offset 3643
  • Detect exploit attempts by monitoring HTTP GET requests to the MaxDB WebDBM service (default port 9999) where the URI begins with '/%' followed by a large alphanumeric buffer (~16 KB), indicative of the CVE-2005-0684 SEH overwrite exploit.
  • Flag HTTP GET requests on port 9999 with a URI starting with '/%' and a body/URI length exceeding 3600+ bytes as a strong indicator of exploitation.
  • Look for the SEH trampoline byte sequence 0xEB 0xF9 (short backward jump) at a fixed offset (~3643) within the oversized GET request buffer, which is the exploit's SEH chain overwrite signature.
  • Monitor for HTTP requests containing a long Lock-Token header sent to the MaxDB WebDBM service, as the getLockTokenHeader function in WDVHandler_CommonUtils.c is also vulnerable to a buffer overflow via this vector.
  • The payload bad characters for this exploit are: \x00 \x3a \x26 \x3f \x25 \x23 \x20 \x0a \x0d \x2f \x2b \x0b \x5c \x40 — encoded payloads in traffic will avoid these bytes.
  • ·The SEH frame offset (and thus the correct return address target) varies depending on the MaxDB installation path length. The module assumes a web root path of the same length as 'C:\Program Files\sdb\programs\web\Documents'; different install paths will shift the offset.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.