cbcvebase.
CVE-2006-4305
published 2006-08-30

CVE-2006-4305: Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote attackers to execute arbitrary code via a long database name when connecting via a WebDBM…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.47%
99.3th percentile
Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote attackers to execute arbitrary code via a long database name when connecting via a WebDBM client.

Affected

1 ranges
VendorProductVersion rangeFixed in
mysqlmaxdb<= 7.6.00.22

Detection & IOCsextracted from sources · hover to see the quote

port9999
url/webdbm
commandEvent=DBM_LOGON&Action=LOGON&Server=<rand>&Database=<overflow>&User=<rand>&Password=<rand>
other0x1005a08f (wapi.dll, MaxDB 7.6.00.16)
other0x1005b08f (wapi.dll, MaxDB 7.6.00.27)
processwahttp.exe
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect exploit attempts by inspecting HTTP POST requests to /webdbm containing an overly long 'Database' parameter (>91 bytes) in the POST body.
  • Alert on HTTP POST requests to /webdbm on port 9999 with body fields Event=DBM_LOGON and Action=LOGON, which is the specific action targeted by the exploit.
  • Flag presence of the stack-adjustment prepend encoder byte sequence (\x81\xc4\xff\xef\xff\xff\x44) in HTTP POST body payloads targeting port 9999.
  • Monitor for bad characters in the Database parameter that are absent due to encoding constraints: null bytes, colons, ampersands, question marks, percent signs, hashes, spaces, newlines, carriage returns, forward/back slashes, plus signs, vertical tabs, and at-signs.
  • Look for the return addresses 0x1005a08f or 0x1005b08f embedded within the Database parameter of POST requests to /webdbm, indicating exploitation of wapi.dll on MaxDB 7.6.00.16 or 7.6.00.27 respectively.
  • ·The exploit targets only Windows platforms running MaxDB 7.6.00.16 and 7.6.00.27; return addresses are specific to wapi.dll on those versions and will not work on other builds.
  • ·The vulnerable endpoint is the WebDBM service listening on TCP port 9999 by default; deployments on non-default ports will require adjusted detection rules.
  • ·The payload space is constrained to 400 bytes and execution context is the wahttp process; shellcode must fit within this budget.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.