cbcvebase.
CVE-2013-1428
published 2013-04-26

CVE-2013-1428: Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to…

PriorityP359medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
60.68%
99.0th percentile
Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiantinc< tinc 1.0.19-3 (bookworm)tinc 1.0.19-3 (bookworm)
tinc-vpntinc<= 1.0.20
tinc-vpntinc<= 1.1
tinc-vpntinc
tinc-vpntinc
tinc-vpntinc
tinc-vpntinc
tinctinc>= 0 < 1.0.19-31.0.19-3
tinctinc>= 0 < 1.0.19-31.0.19-3
tinctinc>= 0 < 1.0.19-31.0.19-3
tinctinc>= 0 < 1.0.19-31.0.19-3

Detection & IOCsextracted from sources · hover to see the quote

port655
path/usr/local/sbin/tincd
urlhttp://www.sitsec.net/files/tinc-poc.py
processtincd
  • Monitor for oversized TCP packets (>1676 bytes payload) sent to tincd on port 655 from authenticated VPN peers — the overflow offset is 1676 bytes for x86 targets.
  • Detect exploitation attempts by watching for tincd process crashes (SIGABRT / SIGSEGV) accompanied by '*** buffer overflow detected ***' messages in system logs, indicating active exploitation attempts even on non-exploitable builds.
  • The vulnerable code path is receive_tcppacket() in net_packet.c; instrument or audit this function for buffer length checks when reviewing tinc source builds.
  • ARM targets (e.g., Raspberry Pi / Pidora 18) with NX but no ASLR are susceptible to ROP-based exploitation with brute-force ASLR bypass; monitor for repeated rapid reconnections to tincd port 655 from the same peer as an ASLR brute-force indicator.
  • ·Exploitation requires prior authentication as a VPN peer; unauthenticated remote attackers cannot trigger the overflow directly.
  • ·Builds compiled with gcc 4.7.2+ and __memcpy_chk (e.g., Ubuntu 12.10, Fedora 16, OpenSuse 11.2 from packages) result in a non-exploitable crash rather than code execution; detection should still alert on the crash.
  • ·The exploit payload space is constrained to 1675 bytes; payloads exceeding this size will not fit within the overflow buffer for x86 targets.
  • ·The ARM (Pidora 18) target requires the tincd daemon to restart between brute-force attempts due to ASLR; a non-restarting daemon configuration significantly reduces exploitability on ARM.

CVSS provenance

nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.