cbcvebase.
CVE-2004-0176
published 2004-05-04

CVE-2004-0176: Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1)…

PriorityP343medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
67.09%
99.2th percentile
Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.

Affected

24 ranges
VendorProductVersion rangeFixed in
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal
ethereal_groupethereal

Detection & IOCsextracted from sources · hover to see the quote

bytes
\x01\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x00\x39
  • Detect oversized IGAP packets with igap_msgsize field exceeding 0x40 (64 bytes) — the exploit sets igap_msgsize=0x40+PAYLOAD_SIZE to overflow the dissector buffer.
  • Detect EIGRP IP Internal Routes TLV (type 0x0102) with a Length field of 0x0039 (57) where the correct value should be 0x001C (28) — this triggers the TLV_IP_INT overflow.
  • Monitor for raw socket (SOCK_RAW/IPPROTO_RAW) traffic carrying IGMP/IGAP (protocol 0x02) packets with payload sizes significantly exceeding the standard IGAP message structure (16+64 bytes).
  • After successful exploitation, watch for a bind shell on port 31337 spawned by the shellcode embedded in the IGAP exploit payload.
  • ·The IGAP exploit requires root privileges on the attacking machine to open a raw socket (SOCK_RAW).

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.