CVE-2009-1210
published 2009-04-01CVE-2009-1210: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
15.23%
96.3th percentile
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wireshark | < wireshark 1.0.7-1 (bookworm) | wireshark 1.0.7-1 (bookworm) |
| wireshark | wireshark | <= 1.0.5 | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
| wireshark | wireshark | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00
- →Detect PN-DCP packets containing format string specifiers (e.g., %n, %x, %s) in the station name field of PROFINET/DCP dissector traffic ↗
- →Monitor for replay of crafted pcap files named 'formatstringbug.pcap' via tcpreplay against network interfaces, indicative of PoC exploitation attempts ↗
- →Wireshark crash or unexpected termination while parsing Ethernet frames with EtherType 0x8892 (PROFINET) may indicate exploitation attempt ↗
- →Disable PN-DCP and related PROFINET dissectors in Wireshark to mitigate; list pn_dcp, pn_mrp, pn_mrrt, pn_ptcp, pn_rt in the disabled_protos configuration file ↗
- ·The format string exploit payload is caught by FORTIFY_SOURCE on Red Hat Enterprise Linux 5 and later, reducing exploitability to a non-exploitable crash rather than code execution on those platforms ↗
- ·Workaround: disable all PROFINET dissectors via Wireshark GUI (Analyze -> Enabled Protocols) or via the disabled_protos configuration file (~/.wireshark/disabled_protos or /usr/share/wireshark/disabled_protos) ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mgcw-89jj-vw5f: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1
ghsa_unreviewed·2022-05-02
CVE-2009-1210 [HIGH] CWE-134 GHSA-mgcw-89jj-vw5f: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.
OSV
CVE-2009-1210: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1
osv·2009-04-01·CVSS 10.0
CVE-2009-1210 [CRITICAL] CVE-2009-1210: Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.
Red Hat
Firefox: overlong UTF-8 seqence detection problem
vendor_redhat·2009-08-21·CVSS 4.3
CVE-2009-5017 [MEDIUM] Firefox: overlong UTF-8 seqence detection problem
Firefox: overlong UTF-8 seqence detection problem
Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UTF-8 encoding, which makes it easier for remote attackers to bypass cross-site scripting (XSS) protection mechanisms via a crafted string, a different vulnerability than CVE-2010-1210.
Red Hat
wireshark: format string in PROFINET dissector
vendor_redhat·2009-03-30·CVSS 10.0
CVE-2009-1210 [CRITICAL] wireshark: format string in PROFINET dissector
wireshark: format string in PROFINET dissector
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.
Debian
CVE-2009-1210: wireshark - Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark ...
vendor_debian·2009·CVSS 10.0
CVE-2009-1210 [CRITICAL] CVE-2009-1210: wireshark - Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark ...
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark 1.0.6 and earlier allows remote attackers to execute arbitrary code via a PN-DCP packet with format string specifiers in the station name. NOTE: some of these details are obtained from third party information.
Scope: local
bookworm: resolved (fixed in 1.0.7-1)
bullseye: resolved (fixed in 1.0.7-1)
forky: resolved (fixed in 1.0.7-1)
sid: resolved (fixed in 1.0.7-1)
trixie: resolved (fixed in 1.0.7-1)
No detection rules found.
Bugzilla
CVE-2009-5017 Firefox: overlong UTF-8 seqence detection problem
bugzilla·2010-11-23·CVSS 4.3
CVE-2009-5017 [MEDIUM] CVE-2009-5017 Firefox: overlong UTF-8 seqence detection problem
CVE-2009-5017 Firefox: overlong UTF-8 seqence detection problem
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5017 to
the following vulnerability:
Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UTF-8
encoding, which makes it easier for remote attackers to bypass cross-site
scripting (XSS) protection mechanisms via a crafted string, a different
vulnerability than CVE-2010-1210.
References:
[1] http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
[2] http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e42c563313a0
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=511859
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=522634
Reference public PoC:
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=511859#c1
Upstream change
Bugzilla
CVE-2009-1210 wireshark: format string in PROFINET dissector
bugzilla·2009-04-03·CVSS 10.0
CVE-2009-1210 [CRITICAL] CVE-2009-1210 wireshark: format string in PROFINET dissector
CVE-2009-1210 wireshark: format string in PROFINET dissector
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1210 to the following vulnerability:
Format string vulnerability in the PROFINET/DCP (PN-DCP) dissector in Wireshark
1.0.6 and earlier allows remote attackers to execute arbitrary code via a
PN-DCP packet with format string specifiers in the station name. NOTE: some of
these details are obtained from third party information.
References:
http://www.milw0rm.com/exploits/8308
http://www.securityfocus.com/bid/34291
http://secunia.com/advisories/34542
http://xforce.iss.net/xforce/xfdb/49512
Discussion:
Upstream bug report:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3382
Upstream SVN commit, fixing multiple format string flaws across wireshark sources:
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://secunia.com/advisories/34542http://secunia.com/advisories/34778http://secunia.com/advisories/34970http://secunia.com/advisories/35133http://secunia.com/advisories/35224http://secunia.com/advisories/35416http://secunia.com/advisories/35464http://wiki.rpath.com/Advisories:rPSA-2009-0062http://www.debian.org/security/2009/dsa-1785http://www.mandriva.com/security/advisories?name=MDVSA-2009:088http://www.redhat.com/support/errata/RHSA-2009-1100.htmlhttp://www.securityfocus.com/archive/1/502745/100/0/threadedhttp://www.securityfocus.com/bid/34291http://www.wireshark.org/security/wnpa-sec-2009-02.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/49512https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5976https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9526https://www.exploit-db.com/exploits/8308https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00675.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01167.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01213.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://secunia.com/advisories/34542http://secunia.com/advisories/34778http://secunia.com/advisories/34970http://secunia.com/advisories/35133http://secunia.com/advisories/35224http://secunia.com/advisories/35416http://secunia.com/advisories/35464http://wiki.rpath.com/Advisories:rPSA-2009-0062http://www.debian.org/security/2009/dsa-1785http://www.mandriva.com/security/advisories?name=MDVSA-2009:088http://www.redhat.com/support/errata/RHSA-2009-1100.htmlhttp://www.securityfocus.com/archive/1/502745/100/0/threadedhttp://www.securityfocus.com/bid/34291http://www.wireshark.org/security/wnpa-sec-2009-02.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/49512https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5976https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9526https://www.exploit-db.com/exploits/8308https://www.redhat.com/archives/fedora-package-announce/2009-May/msg00675.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01167.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-May/msg01213.html
2009-04-01
Published