CVE-2005-0684
published 2005-04-25CVE-2005-0684: Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a…
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
68.50%
99.2th percentile
Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a long file parameter after a percent ("%") sign or (2) a long Lock-Token string to the WebDAV functionality, which is not properly handled by the getLockTokenHeader function in WDVHandler_CommonUtils.c.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
| mysql | maxdb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xe9 + [-2052].pack('V') at offset 3638, \xeb\xf9 at offset 3643- →Detect exploit attempts by monitoring HTTP GET requests to the MaxDB WebDBM service (default port 9999) where the URI begins with '/%' followed by a large alphanumeric buffer (~16 KB), indicative of the CVE-2005-0684 SEH overwrite exploit. ↗
- →Flag HTTP GET requests on port 9999 with a URI starting with '/%' and a body/URI length exceeding 3600+ bytes as a strong indicator of exploitation. ↗
- →Look for the SEH trampoline byte sequence 0xEB 0xF9 (short backward jump) at a fixed offset (~3643) within the oversized GET request buffer, which is the exploit's SEH chain overwrite signature. ↗
- →Monitor for HTTP requests containing a long Lock-Token header sent to the MaxDB WebDBM service, as the getLockTokenHeader function in WDVHandler_CommonUtils.c is also vulnerable to a buffer overflow via this vector. ↗
- →The payload bad characters for this exploit are: \x00 \x3a \x26 \x3f \x25 \x23 \x20 \x0a \x0d \x2f \x2b \x0b \x5c \x40 — encoded payloads in traffic will avoid these bytes. ↗
- ·The SEH frame offset (and thus the correct return address target) varies depending on the MaxDB installation path length. The module assumes a web root path of the same length as 'C:\Program Files\sdb\programs\web\Documents'; different install paths will shift the offset. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MaxDB WebDBM - GET Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-0684 MaxDB WebDBM - GET Buffer Overflow (Metasploit)
MaxDB WebDBM - GET Buffer Overflow (Metasploit)
---
##
# $Id: maxdb_webdbm_get_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MaxDB WebDBM GET Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the MaxDB WebDBM
service. This service is included with many recent versions
of the MaxDB and SAPDB products. This particular module is
capable of exploiting Windows systems through the use of an
SEH frame overwrite. The offset to the SEH frame may change
depending on
Metasploit
MaxDB WebDBM GET Buffer Overflow
metasploit
MaxDB WebDBM GET Buffer Overflow
MaxDB WebDBM GET Buffer Overflow
This module exploits a stack buffer overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an SEH frame overwrite. The offset to the SEH frame may change depending on where MaxDB has been installed, this module assumes a web root path with the same length as: C:\Program Files\sdb\programs\web\Documents
No writeups or analysis indexed.
http://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAVhttp://www.idefense.com/application/poi/display?id=234&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=235&type=vulnerabilitieshttp://www.securityfocus.com/bid/13368http://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAVhttp://www.idefense.com/application/poi/display?id=234&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=235&type=vulnerabilitieshttp://www.securityfocus.com/bid/13368
2005-04-25
Published