CVE-2008-0964
published 2008-08-08CVE-2008-0964: Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers…
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.51%
96.0th percentile
Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | opensolaris | <= build_snv_95 | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | opensolaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xffSMB with command byte 0x72
- →Detect crafted SMB packets targeting port 445 with SMB command byte 0x72 (SMB_COM_NEGOTIATE dialect negotiation abuse) sent to a Solaris host running snoop in promiscuous mode — the exploit triggers a stack-based buffer overflow in snoop's SMB packet parser. ↗
- →The exploit payload is structured as ';COMMAND;' followed by padding up to 256 bytes (dialect[256] buffer) and then a 4-byte little-endian return address overwrite — look for anomalously long SMB dialect strings in NetBIOS Session Service / raw TCP/445 traffic. ↗
- →Monitor snoop process for SIGSEGV (signal 11) crashes, which indicate exploitation attempts even if the overflow did not achieve code execution. ↗
- →The exploit only triggers when snoop is run WITHOUT the -o option (writing to a file); detection should focus on snoop processes launched in live/promiscuous capture mode on port 445. ↗
- ·Return addresses are platform-specific; the exploit includes two hardcoded system() addresses — one for SunOS 5.11 snv_86 i86pc and one for SunOS 5.10 Generic_118833-33 sun4u sparc. Detection signatures based on these addresses will only match those exact binary versions. ↗
- ·The vulnerability affects Sun Solaris 8 through 10 and OpenSolaris before snv_96; systems running snv_96 or later are not affected by this specific CVE. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=734http://secunia.com/advisories/31386http://secunia.com/advisories/31535http://sunsolve.sun.com/search/document.do?assetkey=1-26-240101-1http://support.avaya.com/elmodocs2/security/ASA-2008-355.htmhttp://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=766935http://www.securityfocus.com/bid/30556http://www.securitytracker.com/id?1020633http://www.vupen.com/english/advisories/2008/2311https://exchange.xforce.ibmcloud.com/vulnerabilities/44222https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5318https://www.exploit-db.com/exploits/6328http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=734http://secunia.com/advisories/31386http://secunia.com/advisories/31535http://sunsolve.sun.com/search/document.do?assetkey=1-26-240101-1http://support.avaya.com/elmodocs2/security/ASA-2008-355.htmhttp://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=766935http://www.securityfocus.com/bid/30556http://www.securitytracker.com/id?1020633http://www.vupen.com/english/advisories/2008/2311https://exchange.xforce.ibmcloud.com/vulnerabilities/44222https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5318https://www.exploit-db.com/exploits/6328
2008-08-08
Published