CVE-2004-1705

Citadel/UX <= 6.23 - Denial of Service via Long Username

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2004-1705. PoCs published by Nebunu, CoKi.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Citadel/UX (CVE-2004-1705) to achieve remote code execution. It leverages a crafted 'USER' command to overflow a buffer and redirect execution to a shellcode payload, which downloads and executes a backdoor.

Description

Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Nebunu · cremotelinux
https://www.exploit-db.com/exploits/437

This exploit targets a buffer overflow vulnerability in Citadel/UX (CVE-2004-1705) to achieve remote code execution. It leverages a crafted 'USER' command to overflow a buffer and redirect execution to a shellcode payload, which downloads and executes a backdoor.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Citadel/UX (versions up to 2004)
No auth needed
Prerequisites: Network access to Citadel/UX port 504 · Target platform listed in the exploit's architecture array
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Nebunu · cremotelinux
https://www.exploit-db.com/exploits/424

This exploit targets a buffer overflow in Citadel/UX's USER command handling, leveraging a ret-to-libc technique to bypass the tolower() function's interference with shellcode. It overwrites EIP with the address of system() and executes a command to add a root user.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Citadel/UX (version not specified)
No auth needed
Prerequisites: Citadel/UX server running as root · system() address in libc · command string without problematic characters
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by CoKi · cdoslinux
https://www.exploit-db.com/exploits/370

This exploit targets a buffer overflow vulnerability in Citadel/UX by sending a crafted USER command with a 96-byte buffer filled with 'A' characters, causing a remote denial of service (DoS). The exploit includes a timeout mechanism for the connection and verifies the target host before sending the payload.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Citadel/UX (versions in Slackware 9.0.0 / 9.1.0 / 10.0.0)
No auth needed
Prerequisites: Network access to the target on port 504
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109121546120575&w=2
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/10833
Exploit, Patch, Vendor Advisory x_refsource_misc
http://www.nosystem.com.ar/advisories/advisory-04.txt
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109146099404071&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16840
Exploit, Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/12197
Exploit, Patch, Vendor Advisory vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1010809

Scores

EPSS 0.0492
EPSS Percentile 91.0%

Details

Status published
Products (5)
citadel/ux 5.90
citadel/ux 5.91
citadel/ux 6.07
citadel/ux 6.08
citadel/ux 6.23
Published Jul 30, 2004
Tracked Since Feb 18, 2026