CVE-2010-1185
published 2010-03-29CVE-2010-1185: Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.22%
96.3th percentile
Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | maxdb | — | — |
| sap | maxdb | — | — |
| sap | maxdb | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x63\x00\x00\x00\x03\x2f\x00\x00\x01\x00\x00\x00\xff\xff\xff\xff\x00\x00\x04\x00\x63\x00\x00\x00\x00\x02\x4b\x00\x04\x09\x00\x00\x44\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x6d\x61
bytes↗
T00WT00W
bytes↗
\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7
- →Detect exploit attempts by monitoring for TCP connections to port 7210 carrying oversized handshake packets (>5000 bytes) with the malformed MaxDB handshake header magic bytes 0x63 0x00 0x00 0x00 0x03 0x2f at offset 0. ↗
- →Hunt for the egg-hunter tag 'T00WT00W' (bytes 54 30 30 57 54 30 30 57) in TCP payloads on port 7210, which is the egg marker used by this exploit to locate shellcode. ↗
- →Alert on the Windows egg-hunter stub (int 2e / NtAccessCheckAndAuditAlarm syscall pattern: CD 2E 3C 05) appearing in network traffic on port 7210, indicative of this exploit's egghunter shellcode. ↗
- →Monitor serv.exe (SAP MaxDB listener) for unexpected child process creation or outbound connections following receipt of a large packet on TCP/7210, which may indicate successful exploitation and shell spawning. ↗
- →The exploit targets an invalid length parameter in the handshake packet; IDS rules should flag packets to TCP/7210 where the declared length field in the MaxDB handshake header does not match the actual payload length. ↗
- ·The exploit PoC hardcodes a private/lab IP (172.16.29.133) as the target; this IP is not a threat-actor infrastructure indicator and should not be used as a network-level block. ↗
- ·The return address (ret = \x08\xf1\xa0\x00) is specific to Windows XP SP2 EN and the tested MaxDB version 7.7.06.09; it will differ on other OS/patch levels, so byte-matching the RET value alone is not a reliable universal detection. ↗
- ·Affected versions span 7.4.3.32 and 7.6.0.37 through 7.6.06 per NVD, but the PoC was tested on 7.7.06.09; detection logic should not be version-gated as the vulnerable component (serv.exe on TCP/7210) is consistent across versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/63047http://secunia.com/advisories/38955http://www.securityfocus.com/archive/1/510125/100/0/threadedhttp://www.securityfocus.com/bid/38769http://www.securitytracker.com/id?1023719http://www.vupen.com/english/advisories/2010/0643http://www.zerodayinitiative.com/advisories/ZDI-10-032/https://exchange.xforce.ibmcloud.com/vulnerabilities/56950http://osvdb.org/63047http://secunia.com/advisories/38955http://www.securityfocus.com/archive/1/510125/100/0/threadedhttp://www.securityfocus.com/bid/38769http://www.securitytracker.com/id?1023719http://www.vupen.com/english/advisories/2010/0643http://www.zerodayinitiative.com/advisories/ZDI-10-032/https://exchange.xforce.ibmcloud.com/vulnerabilities/56950
2010-03-29
Published