cbcvebase.
CVE-2009-1210
published 2009-04-01

CVE-2009-1210: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a…

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.23%
96.3th percentile
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
debianwireshark< wireshark 1.0.7-1 (bookworm)wireshark 1.0.7-1 (bookworm)
wiresharkwireshark<= 1.0.5
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark

Detection & IOCsextracted from sources · hover to see the quote

filenameformatstringbug.pcap
other%n%n%n
bytes
\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00
  • Detect PN-DCP packets containing format string specifiers (e.g., %n, %x, %s) in the station name field of PROFINET/DCP dissector traffic
  • Monitor for replay of crafted pcap files named 'formatstringbug.pcap' via tcpreplay against network interfaces, indicative of PoC exploitation attempts
  • Wireshark crash or unexpected termination while parsing Ethernet frames with EtherType 0x8892 (PROFINET) may indicate exploitation attempt
  • Disable PN-DCP and related PROFINET dissectors in Wireshark to mitigate; list pn_dcp, pn_mrp, pn_mrrt, pn_ptcp, pn_rt in the disabled_protos configuration file
  • ·The format string exploit payload is caught by FORTIFY_SOURCE on Red Hat Enterprise Linux 5 and later, reducing exploitability to a non-exploitable crash rather than code execution on those platforms
  • ·Workaround: disable all PROFINET dissectors via Wireshark GUI (Analyze -> Enabled Protocols) or via the disabled_protos configuration file (~/.wireshark/disabled_protos or /usr/share/wireshark/disabled_protos)

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.