cbcvebase.
CVE-2010-4538
published 2011-01-07

CVE-2010-4538: Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.98%
97.9th percentile
Buffer overflow in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c in Wireshark 1.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ENTTEC DMX packet with Run Length Encoding (RLE) compression.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianwireshark< wireshark 1.2.11-6 (bookworm)wireshark 1.2.11-6 (bookworm)
wiresharkwireshark
wiresharkwireshark>= 0 < 1.2.11-61.2.11-6
wiresharkwireshark>= 0 < 1.2.11-61.2.11-6
wiresharkwireshark>= 0 < 1.2.11-61.2.11-6
wiresharkwireshark>= 0 < 1.2.11-61.2.11-6

Detection & IOCsextracted from sources · hover to see the quote

port3333/udp
commandpython exploit.py <host> — sends crafted ENTTEC DMX UDP packet with RLE-compressed payload to port 3333
bytes
45534444 10 20 04 00 0c fe ff 41 fe ff 42 fe ff 43 fe ff 44
  • Detect UDP packets to port 3333 beginning with the magic bytes 'ESDD' (0x45534444) followed by RLE-encoded DMX payload bytes (0xFE marker bytes) — characteristic of the PoC exploit for CVE-2010-4538.
  • The vulnerable code path is in the sect_enttec_dmx_da function in epan/dissectors/packet-enttec.c; crash/exploitation requires Wireshark 1.4.2 to process a crafted ENTTEC DMX packet with RLE compression — monitor for Wireshark crashes when processing UDP traffic on port 3333.
  • The vulnerability can also be triggered by opening a specially-crafted DMX data capture file (pcap) with RLE compression — inspect capture files opened by Wireshark 1.4.2 for ENTTEC DMX frames with RLE-encoded payloads.
  • ·The overflow is triggered only when Wireshark's ENTTEC dissector processes packets with RLE compression enabled; the attack surface covers both live UDP capture on port 3333 and offline analysis of crafted capture files.
  • ·Exploitation executes arbitrary code with the privileges of the user running Wireshark — deployments running Wireshark as root or elevated user are at highest risk.
  • ·The upstream fix is in SVN revision 35318; Debian resolved the issue in package version 1.2.11-6. Ensure Wireshark is patched beyond version 1.4.2.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.