cbcvebase.
CVE-2003-0109
published 2003-03-31

CVE-2003-0109: Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.40%
99.7th percentile
Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0.

Detection & IOCsextracted from sources · hover to see the quote

commandSEARCH /<65535-char URL> HTTP/1.1
port31337
port666
otherSelect "DAV:displayname" from scope()
otherRtlDosPathNameToNtPathName_U
otherRtlGetFullPathName_U
bytes
\x55\x8b\xec\x33\xc9\x53\x56\x57\x8d\x7d\xa2\xb1\x25\xb8\xcc\xcc\xcc\xcc\xf3\xab
bytes
\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f
bytes
\x8b\xf9\x32\xc0\xfe\xc0\xf2\xae\xff\xe7
  • Detect oversized SEARCH method WebDAV requests to IIS on port 80; the exploit sends a SEARCH request with a URL of ~65514–65535 characters to trigger the ntdll.dll overflow.
  • Detect HTTP SEARCH requests with Content-Type: text/xml and a body containing the WebDAV SQL-like query 'Select "DAV:displayname" from scope()' paired with an abnormally long URI.
  • Check response body for 'Server Error(exception' string as an indicator of a vulnerable IIS 5.0 host, as used by the Metasploit check() function.
  • Vulnerability scanners may probe ports 139 and 445 for this IIS WebDAV bug; remap detections on those ports back to port 80 for accurate correlation.
  • The W32.Welchia worm actively exploited this vulnerability; monitor for mass scanning activity against port 80 with oversized SEARCH WebDAV requests as a worm propagation indicator.
  • Bad characters for payload encoding are known; payloads will avoid null bytes and URL-special characters: 0x00, 0x3a, 0x26, 0x3f, 0x25, 0x23, 0x20, 0x0a, 0x0d, 0x2f, 0x2b, 0x0b, 0x5c.
  • ·Windows NT 4.0 does not support WebDAV, so WebDAV-based exploit attempts will not be effective against NT 4.0 systems, though the underlying ntdll.dll vulnerability is still present.
  • ·Windows XP does not include WebDAV by default, but WebDAV may be installed by a user on Windows XP with IIS 5.1, making it a possible exploitation vector in those cases.
  • ·The Metasploit module only works against Windows 2000 (SP0–SP3) and uses brute-force return address targeting; it does not reliably exploit other Windows versions via this method.
  • ·The Microsoft patch Q815021 corrects both the RtlDosPathNameToNtPathName_U and RtlGetFullPathName_U vulnerable functions; both must be patched to fully remediate the vulnerability.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.