cbcvebase.
CVE-2002-0724
published 2002-09-24

CVE-2002-0724: Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service…

PriorityP335high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
30.13%
98.0th percentile
Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service".

Affected

2 ranges
VendorProductVersion rangeFixed in
ciscoproducts_ms02-045
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port445/tcp (SMB)
commandSMB_COM_TRANSACTION with NetServerEnum2 (function code 0x68) to \PIPE\LANMAN
path\PIPE\LANMAN
path\\<target>\IPC$
  • Detect malformed SMB_COM_TRANSACTION (opcode 0x25) packets targeting \PIPE\LANMAN with RAP function code 0x68 (NetServerEnum2), 0x68 variants for NetShareEnum or NetServerEnum3 — these are the three triggering request types.
  • Monitor for anonymous (null session) SMB connections followed immediately by a TRANSACTION request to IPC$\PIPE\LANMAN — the exploit works with anonymous access and uses a null-session setup (empty ANSI password, empty account).
  • The exploit identifies itself with Native OS 'Unix' and Native LAN Manager 'Samba' in the SESSION_SETUP_ANDX request — flag Windows hosts receiving SMB session setup with these strings.
  • The SMB TRANSACTION request uses param_descriptor 'WrLeh' and return_descriptor 'B13BWz' with detail_level 1 and recv_buffer_len 50000 — these RAP parameter strings in a LANMAN pipe transaction are a strong exploit indicator.
  • Disabling NetBIOS Null Sessions blocks exploitation — monitor for null session establishment (empty credentials SMB session setup) as a precursor indicator.
  • ·Disabling NetBIOS Null Sessions is a documented mitigation that prevents exploitation of this vulnerability.
  • ·All Cisco products installed on affected Microsoft Windows versions (NT, 2000, XP) that use SMB are considered vulnerable — not a Cisco code defect but an OS-level exposure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.