cbcvebase.
CVE-2004-0333
published 2004-11-23

CVE-2004-0333: Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute…

PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.23%
97.6th percentile
Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters.

Affected

11 ranges
VendorProductVersion rangeFixed in
debianuudeview< uudeview 0.5.20 (bookworm)uudeview 0.5.20 (bookworm)
gentoolinux
uudeviewuudeview
uudeviewuudeview
uudeviewuudeview>= 0 < 0.5.200.5.20
uudeviewuudeview>= 0 < 0.5.200.5.20
uudeviewuudeview>= 0 < 0.5.200.5.20
uudeviewuudeview>= 0 < 0.5.200.5.20
winzipwinzip
winzipwinzip
winzipwinzip

Detection & IOCsextracted from sources · hover to see the quote

filenamesnooq.uue
commandnotepad.exe
otherINDEX=0xfffffff5
othertopSEH=0x7ffddffe (XP SP1 / Win2K SP1)
bytes
\x55\x8b\xec\x33\xf6\x56\x68\x2e\x65\x78\x65\x68\x65\x70\x61\x64\x68\x90\x6e\x6f\x74\x46\x56\x8d\x7d\xf1\x57
  • Look for UUE/MIME archive files with anomalously long MIME boundary or parameter strings (>268 bytes) in the Content-Type header, consistent with heap overflow triggering.
  • Detect MIME multipart archives where the 'boundary=' parameter in the Content-Type header is padded to ~1024 bytes, which is the exploit buffer size used in the PoC.
  • The exploit overwrites the per-thread top SEH pointer at 0x7ffddffe to redirect execution; monitor for SEH chain corruption at this address on Windows XP SP1 and Windows 2000 SP1 targets.
  • The heap overflow exploit uses a controlled 'index' value of 0xfffffff5 (-11) placed at offset 268 within the buffer to manipulate ECX/EDI via heap unlink primitives; flag .uue files containing this DWORD pattern.
  • Shellcode in the PoC spawns notepad.exe via WinExec; look for WinZip32 process spawning unexpected child processes (e.g., notepad.exe) after opening a .uue file.
  • ·Affected versions are WinZip 6.2 through WinZip 8.1 SR-1; the underlying vulnerable component is the UUDeview package, which may also be present in other software.
  • ·Debian resolved this vulnerability in UUDeview version 0.5.20 across all tracked branches (bookworm, bullseye, forky, sid, trixie).

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.