CVE-2006-4805 in Wiresharkinfo

Summary

by MITRE

epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in Wireshark (formerly Ethereal) 0.9.8 through 0.99.3 allows remote attackers to cause a denial of service (memory consumption and crash) via an encoded XOT packet that produces a zero length value when it is decoded.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/25/2026

The vulnerability identified as CVE-2006-4805 resides within the XOT dissector component of Wireshark version 0.9.8 through 0.99.3, specifically in the packet-xot.c file. This flaw manifests in the dissect_xot_pdu function which processes XOT (Xerox Open Transmission) protocol packets during network traffic analysis. The XOT protocol is a legacy network protocol used primarily in older Xerox network environments, and its dissector within Wireshark enables analysts to decode and examine XOT traffic during packet capture and analysis operations.

The technical nature of this vulnerability stems from inadequate input validation within the XOT dissector's packet processing logic. When a specially crafted XOT packet is received and processed by the dissector, the packet contains encoded data that, upon decoding, produces a zero length value. This zero length value creates a condition where the dissector attempts to allocate memory or process data structures with invalid parameters, leading to abnormal program behavior. The flaw represents a classic case of improper handling of malformed input data, which falls under the CWE-129 weakness category related to insufficient validation of length values.

The operational impact of this vulnerability is significant as it enables remote attackers to execute a denial of service attack against systems running affected versions of Wireshark. When an attacker sends a maliciously crafted XOT packet to a system with Wireshark running in packet capture mode, the dissector will process the packet and encounter the zero length value condition. This results in excessive memory consumption as the application attempts to handle the malformed data, ultimately leading to application crashes and complete service disruption. The vulnerability affects the core functionality of Wireshark's packet analysis capabilities, rendering the tool unusable for network monitoring and troubleshooting purposes.

Mitigation strategies for this vulnerability involve immediate upgrading to Wireshark version 0.99.4 or later, which contains the necessary patches to address the input validation issues in the XOT dissector. Network administrators should also implement network segmentation and access controls to limit exposure to potentially malicious traffic. Additionally, implementing network-based intrusion detection systems with signature-based detection for known malicious XOT packet patterns can help identify and block such attacks. From an operational security perspective, organizations should maintain current network monitoring tools and ensure regular security updates are applied to all network analysis equipment to prevent exploitation of similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under the T1499.004 technique related to network denial of service, emphasizing the importance of proper input validation and memory management in network analysis tools.

Sources

Do you know our Splunk app?

Download it now for free!