VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 27, 2004· Updated Apr 16, 2026

CVE-2004-1317

CVE-2004-1317

Description

A stack-based buffer overflow in Netcat for Windows 1.1's doexec.c allows remote attackers to execute arbitrary code when the -e option is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack-based buffer overflow in Netcat for Windows 1.1's `doexec.c` allows remote attackers to execute arbitrary code when the `-e` option is used.

Vulnerability

Netcat for Windows version 1.1 contains a stack-based buffer overflow in the doexec.c file. The vulnerability resides in the DNS command parsing routine, where a missing boundary check allows a client command longer than 256 bytes to overwrite the stack [1][2]. Specifically, the code in doexec.c (line 445) did not verify that BufferCnt had not exceeded the receive buffer size, leading to an uncontrolled write when the -e option is active [3]. This issue affects only the Windows port; Unix versions of Netcat are not vulnerable [3].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted DNS command that exceeds 256 bytes to a Netcat instance running with the -e option (which executes a program and pipes network I/O to its stdio) [1][2]. The attacker requires network connectivity to the target system and no prior authentication, as the overflow occurs during input processing before any authentication check [1]. The exploit can be delivered remotely without user interaction, making it trivially accessible from any network-accessible host [2].

Impact

Successful exploitation allows a remote attacker to execute arbitrary code with the privileges of the Netcat process [1][3]. Because Netcat typically runs with the same privileges as the launching user, this can lead to full system compromise if the user has administrative rights, including data disclosure, modification, and denial of service through arbitrary command execution [1][2].

Mitigation

The vulnerability was fixed in Netcat for Windows version 1.11, released on December 27, 2004 [3][4]. The fix adds a boundary check after reading data into the receive buffer, ensuring the buffer is flushed before an overflow occurs [3]. Users should upgrade to version 1.11 or later, available from www.vulnwatch.org/netcat/ [3][4]. No other mitigations are necessary as the fixed version addresses the root cause.

References
  1. '[HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included'
  2. ::.Hat-Squad Security Group.::
  3. 'Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included'
  4. 'Netcat v1.11 For Windows , New fixed version'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing boundary check in the DNS command handling of doexec.c allows a client command longer than 256 bytes to overflow a stack buffer."

Attack vector

An attacker connects to a Netcat 1.1 instance running with the `-e` option (e.g., `nc -L -p 143 -t -e imapd.exe`). By sending a crafted DNS command exceeding 256 bytes, the stack buffer in doexec.c overflows, overwriting the return address. The exploit payload overwrites EIP with a JMP EBX or POP-POP-RET gadget (depending on Windows version) and includes shellcode that connects back to the attacker's IP and port, spawning a reverse command shell [ref_id=1].

Affected code

The vulnerable function is `doexec.c` in Netcat for Windows 1.1 (nc11nt.zip). The advisory identifies a boundary check bug in the DNS control part that triggers a stack overflow when a client command exceeds 256 bytes [ref_id=1].

What the fix does

No patch has been published by the vendor (Hobbit). The advisory states the vendor was informed on 10 November 2004 and responded on 11 November 2004, but no fix was released [ref_id=1]. The only remediation is to avoid using the `-e` switch with Netcat 1.1 on Windows, or to replace Netcat with a maintained alternative that performs proper bounds checking on DNS input.

Preconditions

  • configNetcat v1.1 for Windows must be running with the -e option (e.g., nc -L -p 143 -t -e imapd.exe)
  • networkAttacker must be able to reach the listening Netcat port over the network
  • inputAttacker sends a DNS command payload longer than 256 bytes

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.