cbcvebase.
CVE-2008-0226
published 2008-01-10

CVE-2008-0226: Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1)…

PriorityP269high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
91.60%
99.8th percentile
Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp.

Affected

74 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql
mysqlmysql

Detection & IOCsextracted from sources · hover to see the quote

port3306
bytes
\x00\x0F\xFF (SSL Hello packet trigger bytes preceding overflow buffer)
bytes
0x01000020 (first packet header, little-endian)
bytes
0x00008daa 0x40000000 0x00000008 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x03010000 0x00000001 (malicious SSL Hello message body)
  • Detect exploitation attempts by monitoring for oversized SSL Hello messages (~3965+ bytes of alphanumeric padding) sent to MySQL port 3306, preceded by the byte sequence \x00\x0F\xFF.
  • The exploit sends exactly two TCP payloads to port 3306: a 4-byte header packet (0x01000020) followed by the large malformed SSL Hello packet. Detecting this two-packet sequence on MySQL's port is a strong indicator of CVE-2008-0226 exploitation.
  • The vulnerable code paths are ProcessOldClientHello in handshake.cpp and input_buffer& operator>> in yassl_imp.cpp within yaSSL 1.7.5 and earlier. Presence of yaSSL ≤1.7.5 bundled with MySQL ≤6.0 on a network-accessible port 3306 constitutes an exploitable attack surface.
  • Bad characters used by the exploit payload are \x00\x20\x0a\x0d\x2f\x2b\x0b\x5c — IDS/IPS rules inspecting SSL Hello content on port 3306 should flag payloads that avoid these bytes while containing large blocks of alphanumeric shellcode.
  • ·Red Hat Enterprise Linux (2.1, 3, 4, 5) and Red Hat Application Stack v1/v2 are NOT vulnerable because their MySQL packages are not built with yaSSL support.
  • ·Ubuntu 6.06 is not affected in the default installation (CVE-2008-0226/CVE-2008-0227 did not affect it by default).

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
vendor_ubuntu3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.