cbcvebase.
CVE-2010-0304
published 2010-02-03

CVE-2010-0304: Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
73.67%
99.4th percentile
Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.

Affected

25 ranges
VendorProductVersion rangeFixed in
debianwireshark< wireshark 1.2.6-1 (bookworm)wireshark 1.2.6-1 (bookworm)
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark>= 0 < 1.2.6-11.2.6-1
wiresharkwireshark>= 0 < 1.2.6-11.2.6-1
wiresharkwireshark>= 0 < 1.2.6-11.2.6-1
wiresharkwireshark>= 0 < 1.2.6-11.2.6-1

Detection & IOCsextracted from sources · hover to see the quote

port921/UDP
bytes
\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01
bytes
\x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01 [len 2 bytes] [payload] \x00\x00
  • The exploit targets UDP port 921 (LWRES default port). Monitor for oversized or malformed UDP datagrams to port 921 with the magic header bytes \x00\x00\x01\x5d.
  • The malicious LWRES packet begins with a fixed 36-byte header starting with \x00\x00\x01\x5d\x00\x00\x00\x00\x4b\x49\x1c\x52\x00\x01\x00\x01. Detect this byte pattern in UDP payloads on port 921.
  • The loop variant of the exploit sends the malicious packet to the multicast address 239.255.255.250 on UDP/921 repeatedly. Monitor for LWRES traffic to this multicast destination.
  • The vulnerable code path is only triggered when Wireshark/tshark renders the packet dissection. Fragmented packets must be fully reassembled before the overflow fires — look for UDP fragment reassembly of LWRES traffic.
  • On Windows targets, the exploit uses an SEH overwrite bypass (not a direct return address overwrite) due to /GS stack cookie protection. A payload length of ~2128 bytes is used for the Windows SEH target.
  • The overflow occurs in dissect_getaddrsbyname_request inside packet-lwres.c. The name-length field in the LWRES request is attacker-controlled and used to copy into a fixed stack buffer without bounds checking.
  • ·The exploit default target (loop variant) is set to target index 4 (Windows x86), not Linux. Adjust target selection accordingly when testing.
  • ·Null bytes (\x00) are bad characters for the payload; the exploit cannot deliver shellcode containing null bytes.
  • ·The Windows SEH exploit packet is large enough to be fragmented over UDP, which may cause additional complications and reduce reliability.
  • ·The payload space is limited to 512 bytes; NOP sleds and large stagers may not fit.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.