CVE-2010-1185

SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability

Severity Score

10.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information.

Desbordamiento de búfer basado en pila en serv.exe de SAP MaxDB v7.4.3.32, y v7.6.0.37 hasta la v7.6.06. Permite a atacantes remotos ejecutar código de su elección a través de un parámetro de longitud inválido en un paquete de "handshake" (establecimiento de conexión) al puerto TCP 7210. NOTA: algunos de estos detalles han sido obtenidos de información de terceras partes.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP MaxDB. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the serv.exe process which listens by default on TCP port 7210. The process trusts a value from a handshake packet and uses it as a length when copying data to the stack. If provided a malicious value and packet data, this can be leveraged to execute arbitrary code under the context of the SYSTEM user.

*Credits: AbdulAziz Hariri of Insight Technologies

CVSS Scores

NISTv2 10.0

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2010-03-16 CVE Published
2010-03-26 First Exploit
2010-03-29 CVE Reserved
2024-07-01 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (9)

URL	Tag	Source
http://osvdb.org/63047	Vdb Entry
http://www.securityfocus.com/archive/1/510125/100/0/threaded	Mailing List
http://www.securitytracker.com/id?1023719	Vdb Entry
http://www.zerodayinitiative.com/advisories/ZDI-10-032	X_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/56950	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/11886	2010-03-26
http://www.securityfocus.com/bid/38769	2024-08-07

URL	Date	SRC

URL	Date	SRC
http://secunia.com/advisories/38955	2018-10-10
http://www.vupen.com/english/advisories/2010/0643	2018-10-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Maxdb Search vendor "Sap" for product "Maxdb"				7.4.3.32 Search vendor "Sap" for product "Maxdb" and version "7.4.3.32"		-		Affected
Sap Search vendor "Sap"		Maxdb Search vendor "Sap" for product "Maxdb"				7.6.0.37 Search vendor "Sap" for product "Maxdb" and version "7.6.0.37"		-		Affected
Sap Search vendor "Sap"		Maxdb Search vendor "Sap" for product "Maxdb"				7.6.06 Search vendor "Sap" for product "Maxdb" and version "7.6.06"		-		Affected