cbcvebase.
CVE-2004-0214
published 2004-11-03

CVE-2004-0214: Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to…

PriorityP343critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
51.01%
98.8th percentile
Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

processexplorer.exe
bytes
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  • Trigger condition is a client connecting to an SMB share with an overly long share name — monitor SMB TREE_CONNECT requests containing abnormally long share name strings (hundreds of 'A' characters or equivalent padding).
  • The exploit is delivered via a malicious Samba server advertising a share with an excessively long name; detect anomalous SMB share name lengths in NetBIOS/SMB browse responses or TREE_CONNECT packets.
  • Crash or unexpected termination of explorer.exe or iexplore.exe following SMB share browsing activity should be treated as a potential exploitation indicator.
  • ·The PoC Samba configuration uses a share name composed of ~500+ repeated 'A' characters to trigger the overflow; the share is configured as public/writable/browseable, meaning no authentication is required from the victim client.
  • ·The malicious share path in the PoC is /tmp/testfolder — defenders running honeypots or canary Samba instances should note this path as a PoC artifact, not a reliable attacker indicator in the wild.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.