cbcvebase.
CVE-2008-2639
published 2008-06-16

CVE-2008-2639: Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code…

PriorityP273high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
77.72%
99.5th percentile
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222.

Affected

3 ranges
VendorProductVersion rangeFixed in
citectcitectfacilities
citectcitectscada
citectcitectscada

Detection & IOCsextracted from sources · hover to see the quote

port20222
filenameCiExceptionMailer.dll
filenameCitect32.exe
pathC:\Program Files\Citect\CitectSCADA\Bin
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:"ET SCADA CitectSCADA ODBC Overflow Attempt"; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, cve CVE_2008_2639, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
  • The exploit sends two TCP packets to port 20222: first a 4-byte length prefix, then the malicious ODBC payload. Detection should look for an initial 4-byte packet with a value greater than 399 on port 20222 (as captured by the ET rule's dsize:4 + byte_test).
  • The overflow is triggered in the second application packet of the TCP session on port 20222. The packet begins with a 5-byte header (0x02 + 4-byte big-endian length) followed by the oversized payload string.
  • The exploit uses a null-byte-free payload (BadChars: \x00) with a stack adjustment of -3500 bytes and SEH-based exploitation via pop/pop/ret gadgets in CiExceptionMailer.dll or Citect32.exe.
  • The EXITFUNC is set to 'thread', meaning the shellcode exits via thread termination — useful for distinguishing exploit payloads from benign traffic.
  • ·The ET Snort rule (sid:2008542) triggers only on the initial 4-byte length packet (dsize:4, value >399) and will not fire on the actual payload packet. This may miss variants that send a combined packet.
  • ·Return addresses (ROP gadgets) vary significantly by Citect version and OS. CiExceptionMailer.dll can be arbitrarily remapped by other DLLs, making static RET address detection unreliable across environments.
  • ·The vulnerability affects CitectSCADA 6 and 7 and CitectFacilities 7, but the Metasploit module was also tested against v5. Patched status of v7+ is noted as 'presumably patched' but not confirmed for all sub-versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.