Info

Disclosure

Apr 25, 2005

Discovery

Mar 08, 2005

Dates

Exploit

Apr 27, 2005

Solution

Apr 25, 2005

Description

A remote overflow exists in MySQL MaxDB. The MaxDB web administration service fails to properly handle HTTP GET requests containing a percent sign ('%') resulting in a buffer overflow. With a specially crafted HTTP GET request containing a percent sign followed by an overly long string as the file parameter, a remote attacker can cause arbitrary code execution with SYSTEM privileges resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public, Exploit Private, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 7.5.00.26 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

MySQL AB

MaxDB

7.5.00.23

References

Security Tracker: 1013801
Bugtraq ID: 13368
Secunia Advisory ID: 15109
Metasploit ID: 15816
Related OSVDB ID: 15817
CVE ID: 2005-0684 (see also: NVD)
Vendor Specific News/Changelog Entry: http://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAV
Generic Exploit URL: http://metasploit.com/projects/Framework/modules/exploits/maxdb_webdbm_get_overflow.pm
http://www.saintcorporation.com/cgi-bin/exploit_info/maxdb_webtool_special_character_bo
http://www.securiteam.com/exploits/5FP0O20FGS.html
Other Advisory URL: http://www.idefense.com/application/poi/display?id=234&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=235&type=vulnerabilities
http://www.securiteam.com/unixfocus/5JP0O1PFFO.html
Vendor URL: http://www.mysql.com/products/maxdb/

Credit

Anonymous - SEC Consult

Direct URL: http://osvdb.org/15816