cbcvebase.
CVE-2008-0434
published 2008-01-23

CVE-2008-0434: Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers…

PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
10.35%
95.1th percentile
Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers in the CNHO command.

Affected

1 ranges
VendorProductVersion rangeFixed in
gecad_technologiesaxigen_mail_server

Detection & IOCsextracted from sources · hover to see the quote

port4141
command%35u%6851$n%70u%6850$hhn%47u%6846$hhn%36u%6854$hhn%31u%6853$hhn%17u%6852$hhn%134u%6847$hhn%111u%6848$hhn%259u%6849$hhn
bytes
FROM:\r\nEHLO:\r\nCNIP:\r\nCNPO:\r\nCNHO: 
bytes
\xb8\x96\x05\x08\xb9\x96\x05\x08\xba\x96\x05\x08\xbb\x96\x05\x08\xbc\x96\x05\x08\xbd\x96\x05\x08\xbe\x96\x05\x08\xbf\x96\x05\x08\xc0\x96\x05\x08
bytes
\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xdc\xc8\x06\xb7\x83\xeb\xfc\xe2\xf4
  • Detect exploit traffic by inspecting AXIMilter protocol sessions for CNHO commands containing printf-style format specifiers (e.g., %n, %hhn, $n patterns) in the command argument.
  • Monitor for unexpected outbound bind-shell connections on TCP port 4141 from the AXIGEN mail server process following AXIMilter session activity, indicating successful exploitation.
  • Inspect AXIMilter session payloads for the multi-field sequence FROM / EHLO / CNIP / CNPO / CNHO / RCPT / VERI / PASS in a single connection, which is the exploit's protocol framing.
  • Flag AXIMilter CNHO field values containing high-numbered positional format arguments (e.g., %6846$hhn through %6854$n) as indicative of format-string exploitation attempts.
  • ·The exploit targets AXIGEN Mail Server version 5.0.2 specifically; the AXIMilter module must be enabled and reachable for the vulnerability to be exploitable.
  • ·The shellcode hard-codes return addresses (e.g., 0x080596b8 series) specific to the 5.0.2 binary layout; different builds or OS configurations will require different offsets.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.