Vulnerabilities > CVE-2006-4305 - Remote Buffer Overflow vulnerability in SAP-DB/MaxDB WebDBM

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
mysql
sap-db
critical
nessus
exploit available
metasploit

Summary

Buffer overflow in SAP DB and MaxDB before 7.6.00.30 allows remote attackers to execute arbitrary code via a long database name when connecting via a WebDBM client.

Exploit-Db

descriptionMaxDB WebDBM Database Parameter Overflow. CVE-2006-4305. Remote exploit for windows platform
idEDB-ID:16765
last seen2016-02-02
modified2010-09-20
published2010-09-20
reportermetasploit
sourcehttps://www.exploit-db.com/download/16765/
titleMaxDB WebDBM Database Parameter Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the MaxDB WebDBM service. By sending a specially-crafted HTTP request that contains an overly long database name. A remote attacker could overflow a buffer and execute arbitrary code on the system with privileges of the wahttp process. This module has been tested against MaxDB 7.6.00.16 and MaxDB 7.6.00.27.
idMSF:EXPLOIT/WINDOWS/HTTP/MAXDB_WEBDBM_DATABASE
last seen2020-06-13
modified2017-07-24
published2006-09-27
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4305
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/maxdb_webdbm_database.rb
titleMaxDB WebDBM Database Parameter Overflow

Nessus

  • NASL familyCGI abuses
    NASL idWEBDBM_DATABASE_OVERFLOW.NASL
    descriptionThe remote host is running SAP DB or MaxDB, a SAP-certified open- source database supporting OLTP and OLAP. According to its version, the Web DBM component of MaxDB on the remote host reportedly contains a buffer overflow that can be triggered by an HTTP request containing a long database name. An unauthenticated remote attacker may be able to exploit this flaw to execute arbitrary code on the affected host subject to the privileges of the
    last seen2020-06-01
    modified2020-06-02
    plugin id22309
    published2006-09-06
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22309
    titleSAP DB / MaxDB WebDBM Client Database Name Remote Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22309);
      script_version("1.18");
    
      script_cve_id("CVE-2006-4305");
      script_bugtraq_id(19660);
    
      script_name(english:"SAP DB / MaxDB WebDBM Client Database Name Remote Overflow");
      script_summary(english:"Gets version of Web DBM");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote web server is prone to a buffer overflow attack." );
     script_set_attribute(attribute:"description", value:
    "The remote host is running SAP DB or MaxDB, a SAP-certified open-
    source database supporting OLTP and OLAP. 
    
    According to its version, the Web DBM component of MaxDB on the remote
    host reportedly contains a buffer overflow that can be triggered by an
    HTTP request containing a long database name.  An unauthenticated
    remote attacker may be able to exploit this flaw to execute arbitrary
    code on the affected host subject to the privileges of the 'wahttp'
    process. 
    
    Note that on Windows the 'wahttp' process runs with 'SYSTEM'
    privileges so a successful attack may result in a complete compromise
    of the affected system." );
     script_set_attribute(attribute:"see_also", value:"http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2006-009.txt" );
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/444601/30/0/threaded" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Web DBM version 7.6.00.31 or later as that is reported to
    fix the issue." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_set_attribute(attribute:"metasploit_name", value:'MaxDB WebDBM Database Parameter Overflow');
     script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
     script_set_attribute(attribute:"plugin_publication_date", value: "2006/09/06");
     script_set_attribute(attribute:"patch_publication_date", value: "2006/08/29");
     script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/29");
     script_cvs_date("Date: 2018/11/15 20:50:19");
    script_set_attribute(attribute:"plugin_type", value:"remote");
    script_end_attributes();
    
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
    
      script_dependencies("http_version.nasl", "os_fingerprint.nasl");
      script_require_ports("Services/www", 9999);
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    
    # Exit unless we're being paranoid or the target is running Windows
    # to avoid false-positives with, say, the Debian MaxDB package.
    os = get_kb_item("Host/OS");
    if (report_paranoia < 2 && os && "Windows" >!< os) exit(0);
    
    
    port = get_http_port(default:9999);
    
    # Make sure the banner indicates it's Web DBM.
    banner = get_http_banner(port:port);
    if (!banner || "Server: SAP-Internet-SapDb-Server" >!< banner) exit(0);
    
    
    # Get the version number.
    r = http_send_recv3(method:"GET", item:"/webdbm?Page=VERSION", port:port);
    if (isnull(r)) exit(0);
    res = r[2];
    
    ver = NULL;
    build = NULL;
    pat = '<td class="(dbmSTbvCellStd|dbmSTbvCellLast|table[0-9]).*>(&nbsp;)*([0-9][
    0-9.-]+) *(&nbsp;)*</';
    matches = egrep(pattern:pat, string:res);
    if (matches)
    {
      foreach match (split(matches))
      {
        match = chomp(match);
        m = eregmatch(pattern:pat, string:match);
        if (!isnull(m))
        {
          if ("table" >< m[1] && m[3] !~ "^[0-9]{3}-") ver = chomp(m[3]);
          if ("CellStd" >< m[1]) ver = chomp(m[3]);
          if ("CellLast" >< m[1] || ("table" >< m[1] && m[3] =~ "^[0-9]{3}-"))
          {
            build = m[3];
            if (build =~ "^([0-9][0-9][0-9])-.*")
            {
              build = ereg_replace(pattern:"^([0-9][0-9][0-9])-.*", replace:"\1", string:build);
              build = int(build);
            }
          }
        }
      }
    }
    if (isnull(ver)) exit(0);
    if (!isnull(build)) ver += "." + build;
    
    
    # There's a problem if the version is under 7.6.00.31.
    iver = split(ver, sep:'.', keep:FALSE);
    if (
      int(iver[0]) < 7 ||
      (
        int(iver[0]) == 7 &&
        (
          int(iver[1]) < 6 ||
          (int(iver[1]) == 6 && int(iver[2]) == 0 && !isnull(iver[3]) && int(iver[3]) < 31)
        )
      )
    )
    {
      report = string(
        "According to its banner, MaxDB / SAP DB version ", ver, " is installed\n",
        "on the remote host.\n"
      );
      security_hole(port:port, extra: report);
    }
    
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1190.NASL
    descriptionOliver Karow discovered that the WebDBM frontend of the MaxDB database performs insufficient sanitising of requests passed to it, which might lead to the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22904
    published2006-10-25
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22904
    titleDebian DSA-1190-1 : maxdb-7.5.00 - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1190. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22904);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2006-4305");
      script_xref(name:"DSA", value:"1190");
    
      script_name(english:"Debian DSA-1190-1 : maxdb-7.5.00 - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Oliver Karow discovered that the WebDBM frontend of the MaxDB database
    performs insufficient sanitising of requests passed to it, which might
    lead to the execution of arbitrary code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=386182"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1190"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the maxdb-7.5.00 package.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 7.5.00.24-4."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'MaxDB WebDBM Database Parameter Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:maxdb-7.5.00");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/10/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/25");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"libsqldbc7.5.00", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"libsqldbc7.5.00-dev", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"libsqlod7.5.00", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"libsqlod7.5.00-dev", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-dbanalyzer", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-dbmcli", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-loadercli", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-lserver", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-server", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-server-7.5.00", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-server-dbg-7.5.00", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-sqlcli", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"maxdb-webtools", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"python-maxdb", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"python-maxdb-loader", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"python2.3-maxdb", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"python2.3-maxdb-loader", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"python2.4-maxdb", reference:"7.5.00.24-4")) flag++;
    if (deb_check(release:"3.1", prefix:"python2.4-maxdb-loader", reference:"7.5.00.24-4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82925/maxdb_webdbm_database.rb.txt
idPACKETSTORM:82925
last seen2016-12-05
published2009-10-30
reporterMC
sourcehttps://packetstormsecurity.com/files/82925/MaxDB-WebDBM-Database-Parameter-Overflow.html
titleMaxDB WebDBM Database Parameter Overflow

Saint

bid19660
descriptionMySQL MaxDB WebDBM database name buffer overflow
idweb_tool_maxdbver
osvdb28300
titlemaxdb_webdbm_database_name
typeremote