cbcvebase.
CVE-2014-2299
published 2014-03-11

CVE-2014-2299: Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
47.42%
98.7th percentile
Buffer overflow in the mpeg_read function in wiretap/mpeg.c in the MPEG parser in Wireshark 1.8.x before 1.8.13 and 1.10.x before 1.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a large record in MPEG data.

Affected

24 ranges
VendorProductVersion rangeFixed in
debianwireshark< wireshark 1.10.6-1 (bookworm)wireshark 1.10.6-1 (bookworm)
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark
wiresharkwireshark>= 0 < 1.10.6-11.10.6-1
wiresharkwireshark>= 0 < 1.10.6-11.10.6-1
wiresharkwireshark>= 0 < 1.10.6-11.10.6-1
wiresharkwireshark>= 0 < 1.10.6-11.10.6-1

Detection & IOCsextracted from sources · hover to see the quote

pathwiretap/mpeg.c
bytes
\xff\xfb\x41
bytes
\x55\x59\x80\x6b
bytes
\x81\xec\xc8\x00\x00\x00
  • The exploit triggers the vulnerability by opening a crafted PCAP/MPEG file; detect suspicious PCAP files with an MPEG magic header (0xFF 0xFB 0x41) followed by an oversized record (>65535 bytes) being opened in Wireshark.
  • The overflow occurs in the mpeg_read function in wiretap/mpeg.c; monitor Wireshark process crashes or abnormal termination when parsing MPEG-format capture files as an indicator of exploitation.
  • ROP chain uses VirtualProtect() via IAT pointer in libcares-2.dll (0x62d9027c) and gadgets from libgtk-win32-2.0-0.dll; presence of these ROP gadget addresses on the stack during Wireshark execution is indicative of exploitation.
  • The exploit targets Windows XP SP2/SP3 (English and Spanish); the default output filename is 'mpeg_overflow.pcap' — flag delivery or opening of files with this name.
  • ·The ROP chain and gadget addresses are specific to WinXP SP3 Spanish and WinXP SP2/SP3 English targets using the exact DLL versions listed (libgtk-win32-2.0-0.dll ver 2.24.14.0, zlib1.dll ver 1.2.5.0, krb5_32.dll ver 1.6.3.16); addresses will differ on other platforms or DLL versions.
  • ·Payload bad characters are limited to 0xFF and space is 600 bytes; NOP generation is disabled and a stack-adjustment prepend encoder (sub esp,200) is required for reliable shellcode execution.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.