cbcvebase.
CVE-2011-1591
published 2011-04-29

CVE-2011-1591: Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.74%
98.5th percentile
Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianwireshark< wireshark 1.4.5-1 (bookworm)wireshark 1.4.5-1 (bookworm)
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark>= 0 < 1.4.5-11.4.5-1
wiresharkwireshark>= 0 < 1.4.5-11.4.5-1
wiresharkwireshark>= 0 < 1.4.5-11.4.5-1
wiresharkwireshark>= 0 < 1.4.5-11.4.5-1

Detection & IOCsextracted from sources · hover to see the quote

pathepan/dissectors/packet-dect.c
bytes
Ethernet type 0x2323 (DECT trigger frame)
bytes
pcap global header magic: \xd4\xc3\xb2\xa1 with data link type \x01\x00\x00\x00
bytes
DECT Ethernet frame ptype trigger bytes: \xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23
bytes
linux/x86/shell_reverse_tcp shellcode connecting to 127.0.0.1:4444 (port 0x115c)
  • Detect crafted pcap files or live packets with Ethernet type 0x2323 (DECT dissector trigger); this ethertype is not legitimately used and is the specific trigger for the vulnerable DECT dissector code path in Wireshark.
  • Detect the 14-byte DECT frame preamble pattern \xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x23\x23 at the start of a packet payload in pcap files or on the wire.
  • The exploit uses a SEH-based stack overflow with offset 1239 bytes of padding followed by a short JMP (\xeb\x06\x90\x90) and a PPR address; look for oversized frames (>1239 bytes) with Ethernet type 0x2323.
  • The Metasploit module uses a fixed offset of 1243 bytes to reach the saved return address; pcap files with a single packet of ~1540 bytes and Ethernet type 0x2323 should be treated as suspicious.
  • The remote exploit variant sends the malicious packet to the broadcast address (dst ff:ff:ff:ff:ff:ff) with Ethernet type 0x2323, enabling network-level detection via IDS rules matching that combination.
  • The vulnerability is in the DECT dissector; Wireshark versions 1.4.1 through 1.4.4 are affected. Presence of these versions parsing network traffic or pcap files is a risk indicator.
  • ·The local file-format exploit (17185/17186) requires DEP to be disabled for the non-ROP version; the Metasploit module includes a ROP chain for Generic DEP & ASLR bypass on 32-bit Windows, so DEP alone is not a reliable mitigation.
  • ·The ROP pivot address 0x667c484d is sourced from libgnutls (a non-ASLR module in the affected Wireshark installation); the gadget addresses from libpangoft2, libgio, freetype6, libglib, libatk, libgdk, libgtk, and libfontconfig DLLs are hardcoded and version-specific.
  • ·The remote exploit module (17195) supports a LOOP mode that repeatedly sends the malicious packet at a configurable interval, meaning a single attacker host can sustain the attack until a session is created.
  • ·Known bad characters that must be avoided in the payload are \x00, \x0a, \x0d, and \x09; detection signatures should account for these constraints when building byte-pattern rules.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.