CVE-2006-4305
published 2006-08-30CVE-2006-4305: Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote attackers to execute arbitrary code via a long database name when connecting via a WebDBM…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.47%
99.3th percentile
Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote attackers to execute arbitrary code via a long database name when connecting via a WebDBM client.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mysql | maxdb | <= 7.6.00.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\xff\xef\xff\xff\x44
- →Detect exploit attempts by inspecting HTTP POST requests to /webdbm containing an overly long 'Database' parameter (>91 bytes) in the POST body. ↗
- →Alert on HTTP POST requests to /webdbm on port 9999 with body fields Event=DBM_LOGON and Action=LOGON, which is the specific action targeted by the exploit. ↗
- →Flag presence of the stack-adjustment prepend encoder byte sequence (\x81\xc4\xff\xef\xff\xff\x44) in HTTP POST body payloads targeting port 9999. ↗
- →Monitor for bad characters in the Database parameter that are absent due to encoding constraints: null bytes, colons, ampersands, question marks, percent signs, hashes, spaces, newlines, carriage returns, forward/back slashes, plus signs, vertical tabs, and at-signs. ↗
- →Look for the return addresses 0x1005a08f or 0x1005b08f embedded within the Database parameter of POST requests to /webdbm, indicating exploitation of wapi.dll on MaxDB 7.6.00.16 or 7.6.00.27 respectively. ↗
- ·The exploit targets only Windows platforms running MaxDB 7.6.00.16 and 7.6.00.27; return addresses are specific to wapi.dll on those versions and will not work on other builds. ↗
- ·The vulnerable endpoint is the WebDBM service listening on TCP port 9999 by default; deployments on non-default ports will require adjusted detection rules. ↗
- ·The payload space is constrained to 400 bytes and execution context is the wahttp process; shellcode must fit within this budget. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MaxDB WebDBM - 'Database' Remote Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2006-4305 MaxDB WebDBM - 'Database' Remote Overflow (Metasploit)
MaxDB WebDBM - 'Database' Remote Overflow (Metasploit)
---
##
# $Id: maxdb_webdbm_database.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MaxDB WebDBM Database Parameter Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the MaxDB WebDBM
service. By sending a specially-crafted HTTP request that contains
an overly long database name. A remote attacker could overflow a buffer
and execute arbitrary code on the system with privileges of the wahttp process.
This module has been
Metasploit
MaxDB WebDBM Database Parameter Overflow
metasploit
MaxDB WebDBM Database Parameter Overflow
MaxDB WebDBM Database Parameter Overflow
This module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.
No writeups or analysis indexed.
http://dev.mysql.com/doc/maxdb/changes/changes_7.6.00.32.htmlhttp://secunia.com/advisories/21677http://secunia.com/advisories/22518http://securitytracker.com/id?1016766http://www.debian.org/security/2006/dsa-1190http://www.securityfocus.com/archive/1/444601/100/0/threadedhttp://www.securityfocus.com/bid/19660http://www.symantec.com/enterprise/research/SYMSA-2006-009.txthttp://www.vupen.com/english/advisories/2006/3410https://exchange.xforce.ibmcloud.com/vulnerabilities/28636http://dev.mysql.com/doc/maxdb/changes/changes_7.6.00.32.htmlhttp://secunia.com/advisories/21677http://secunia.com/advisories/22518http://securitytracker.com/id?1016766http://www.debian.org/security/2006/dsa-1190http://www.securityfocus.com/archive/1/444601/100/0/threadedhttp://www.securityfocus.com/bid/19660http://www.symantec.com/enterprise/research/SYMSA-2006-009.txthttp://www.vupen.com/english/advisories/2006/3410https://exchange.xforce.ibmcloud.com/vulnerabilities/28636
2006-08-30
Published