CVE-2003-0081
Description
Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
12cpe:2.3:a:ethereal_group:ethereal:0.8.18:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:ethereal_group:ethereal:0.8.18:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:ethereal_group:ethereal:0.9.9:*:*:*:*:*:*:*
- (no CPE)range: >=0.8.7, <=0.9.9
Patches
Vulnerability mechanics
Root cause
"Missing format string argument in proto_tree_add_text() call allows attacker-controlled packet data to be interpreted as a format string."
Attack vector
A remote attacker sends crafted SOCKS packets containing format string specifiers (e.g., `%x`, `%n`) to a target running a vulnerable Ethereal version. When Ethereal dissects the malicious SOCKS traffic, the missing format mask in `proto_tree_add_text()` causes the packet data to be interpreted as a format string, leading to memory corruption. The advisory confirms this can cause a denial of service and likely allows arbitrary code execution [ref_id=1].
Affected code
The vulnerability resides in `packet-socks.c` at line 910, where `proto_tree_add_text()` is called with the result of `format_text(data, linelen)` as the format argument rather than as a string argument. This affects Ethereal versions 0.8.7 through 0.9.9.
What the fix does
The patch changes the call to `proto_tree_add_text()` from passing `format_text(data, linelen)` directly as the format argument to passing `"%s", format_text(data, linelen)`. This ensures the packet data is treated as a plain string rather than interpreted as a format string, preventing attackers from injecting format specifiers that could corrupt memory or execute code [ref_id=1].
Preconditions
- networkAttacker must be able to send SOCKS packets to a network interface being monitored by a vulnerable Ethereal instance
- configEthereal must be running in real-time capture mode or processing a capture file containing the malicious packets
Reproduction
The advisory provides a complete reproduction setup using two Perl scripts. Run `raw3sv.pl` (a dummy SOCKS server) on localhost port 1080, then start Ethereal capturing on loopback with real-time updates. Run `sockcl.pl` (a SOCKS ping client) which connects to localhost. After approximately 5 seconds, select the "Sock5.....Ping Req Results" line in Ethereal to trigger a segmentation fault [ref_id=1].
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- www.debian.org/security/2003/dsa-258nvdPatchVendor Advisory
- www.ethereal.com/appnotes/enpa-sa-00008.htmlnvdPatchVendor AdvisoryURL Repurposed
- www.securityfocus.com/bid/7049nvdPatchVendor Advisory
- www.guninski.com/etherre.htmlnvdExploitPatchVendor Advisory
- distro.conectiva.com.br/atualizacoes/nvd
- frontal2.mandriva.com/security/advisoriesnvd
- seclists.org/lists/fulldisclosure/2003/Mar/0080.htmlnvd
- www.linuxsecurity.com/advisories/gentoo_advisory-2949.htmlnvd
- www.novell.com/linux/security/advisories/2003_019_ethereal.htmlnvd
- www.redhat.com/support/errata/RHSA-2003-076.htmlnvd
- www.redhat.com/support/errata/RHSA-2003-077.htmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/11497nvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A54nvd
News mentions
0No linked articles in our index yet.