cbcvebase.
CVE-2008-0964
published 2008-08-08

CVE-2008-0964: Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.51%
96.0th percentile
Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet.

Affected

17 ranges
VendorProductVersion rangeFixed in
sunopensolaris<= build_snv_95
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunopensolaris
sunsolaris
sunsolaris
sunsolaris
sunsunos
sunsunos
sunsunos

Detection & IOCsextracted from sources · hover to see the quote

otherSMB_COMMAND_TRIGGER=0x72
path/usr/sbin/snoop
othersystem() address 0xd2adc2a0 (SunOS 5.11 snv_86 i86pc i386)
othersystem() address 0xff1a7c00 (SunOS 5.10 Generic_118833-33 sun4u sparc)
bytes
\xffSMB with command byte 0x72
  • Detect crafted SMB packets targeting port 445 with SMB command byte 0x72 (SMB_COM_NEGOTIATE dialect negotiation abuse) sent to a Solaris host running snoop in promiscuous mode — the exploit triggers a stack-based buffer overflow in snoop's SMB packet parser.
  • The exploit payload is structured as ';COMMAND;' followed by padding up to 256 bytes (dialect[256] buffer) and then a 4-byte little-endian return address overwrite — look for anomalously long SMB dialect strings in NetBIOS Session Service / raw TCP/445 traffic.
  • Monitor snoop process for SIGSEGV (signal 11) crashes, which indicate exploitation attempts even if the overflow did not achieve code execution.
  • The exploit only triggers when snoop is run WITHOUT the -o option (writing to a file); detection should focus on snoop processes launched in live/promiscuous capture mode on port 445.
  • ·Return addresses are platform-specific; the exploit includes two hardcoded system() addresses — one for SunOS 5.11 snv_86 i86pc and one for SunOS 5.10 Generic_118833-33 sun4u sparc. Detection signatures based on these addresses will only match those exact binary versions.
  • ·The vulnerability affects Sun Solaris 8 through 10 and OpenSolaris before snv_96; systems running snv_96 or later are not affected by this specific CVE.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.