CVE-2008-0434
published 2008-01-23CVE-2008-0434: Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
10.35%
95.1th percentile
Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers in the CNHO command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gecad_technologies | axigen_mail_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn↗
bytes↗
FROM:\r\nEHLO:\r\nCNIP:\r\nCNPO:\r\nCNHO:
bytes↗
\xb8\x96\x05\x08\xb9\x96\x05\x08\xba\x96\x05\x08\xbb\x96\x05\x08\xbc\x96\x05\x08\xbd\x96\x05\x08\xbe\x96\x05\x08\xbf\x96\x05\x08\xc0\x96\x05\x08
bytes↗
\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdc\xc8\x06\xb7\x83\xeb\xfc\xe2\xf4
- →Detect exploit traffic by inspecting AXIMilter protocol sessions for CNHO commands containing printf-style format specifiers (e.g., %n, %hhn, $n patterns) in the command argument. ↗
- →Monitor for unexpected outbound bind-shell connections on TCP port 4141 from the AXIGEN mail server process following AXIMilter session activity, indicating successful exploitation. ↗
- →Inspect AXIMilter session payloads for the multi-field sequence FROM / EHLO / CNIP / CNPO / CNHO / RCPT / VERI / PASS in a single connection, which is the exploit's protocol framing. ↗
- →Flag AXIMilter CNHO field values containing high-numbered positional format arguments (e.g., %6846$hhn through %6854$n) as indicative of format-string exploitation attempts. ↗
- ·The exploit targets AXIGEN Mail Server version 5.0.2 specifically; the AXIMilter module must be enabled and reachable for the vulnerability to be exploitable. ↗
- ·The shellcode hard-codes return addresses (e.g., 0x080596b8 series) specific to the 5.0.2 binary layout; different builds or OS configurations will require different offsets. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059788.htmlhttp://secunia.com/advisories/28562http://securityreason.com/securityalert/3570http://www.securityfocus.com/archive/1/486722/100/0/threadedhttp://www.securityfocus.com/bid/27363http://www.vupen.com/english/advisories/2008/0237https://exchange.xforce.ibmcloud.com/vulnerabilities/39803https://www.exploit-db.com/exploits/4947http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059788.htmlhttp://secunia.com/advisories/28562http://securityreason.com/securityalert/3570http://www.securityfocus.com/archive/1/486722/100/0/threadedhttp://www.securityfocus.com/bid/27363http://www.vupen.com/english/advisories/2008/0237https://exchange.xforce.ibmcloud.com/vulnerabilities/39803https://www.exploit-db.com/exploits/4947
2008-01-23
Published