CVE-2005-0709

MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10 - Authenticated Remote Code Execution via CREATE FUNCTION

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-0709. PoCs published by Stefano Di Paola.

AI-analyzed exploit summary This Perl script exploits CVE-2005-0709 by leveraging MySQL's CREATE FUNCTION to load libc functions (on_exit, strcat, exit) and manipulate memory to execute arbitrary shellcode, achieving remote code execution. It requires authenticated access with sufficient privileges to create functions.

Description

MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Stefano Di Paola · perlremotemultiple

https://www.exploit-db.com/exploits/25209

View Code ZIP pw:eip

This Perl script exploits CVE-2005-0709 by leveraging MySQL's CREATE FUNCTION to load libc functions (on_exit, strcat, exit) and manipulate memory to execute arbitrary shellcode, achieving remote code execution. It requires authenticated access with sufficient privileges to create functions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MySQL <= 4.0.23, 4.1.10

Auth required

Prerequisites: Authenticated MySQL access with CREATE FUNCTION privileges · Ability to connect to the target MySQL server

MITRE ATT&CK

T1189 - Drive-by Compromise T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (15)

Core 15

Core References

Patch vendor-advisory x_refsource_trustix

http://www.trustix.org/errata/2005/0009/

Patch vendor-advisory x_refsource_debian

http://www.debian.org/security/2005/dsa-707

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2005-334.html

Patch vendor-advisory x_refsource_suse

http://www.novell.com/linux/security/advisories/2005_19_mysql.html

Vendor Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/96-1/

Vendor Advisory vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2005-348.html

Vendor Advisory vendor-advisory x_refsource_mandrake

http://www.mandriva.com/security/advisories?name=MDKSA-2005:060

Patch vendor-advisory x_refsource_gentoo

http://www.gentoo.org/security/en/glsa/glsa-200503-19.xml

Exploit, Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/12781

Mailing List mailing-list x_refsource_bugtraq

http://marc.info/?l=bugtraq&m=111066115808506&w=2

Exploit mailing-list x_refsource_vulnwatch

http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0084.html

Vendor Advisory vendor-advisory x_refsource_sunalert

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101864-1

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10479

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html

Scores

EPSS 0.1844

EPSS Percentile 96.9%

Details

CWE

CWE-94

Status published

Products (30)

mysql/mysql 4.1.0

mysql/mysql 4.1.3

mysql/mysql 4.1.10

oracle/mysql 3.23.49

oracle/mysql 4.0.0

oracle/mysql 4.0.1

oracle/mysql 4.0.2

oracle/mysql 4.0.3

oracle/mysql 4.0.4

oracle/mysql 4.0.5

... and 20 more

Published May 02, 2005

Tracked Since Feb 18, 2026