cbcvebase.
CVE-2003-0352
published 2003-08-18

CVE-2003-0352: Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code…

PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
98.63%
99.9th percentile
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

filenamemsblast.exe
registryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
port135
port139
port445
port593
other4d9f4ab8-7d1c-11cf-861e-0020af6e7c57
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:established,to_server; flowbits:set,dce.isystemactivator.bind.call.attempt; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:14; metadata:created_at 2010_09_23, cve CVE_2003_0352, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
bytes
05 00 0B 03 10 00 00 00 48 00 00 00 7F 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 01 00 01 00 a0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46 00 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00
  • Monitor for creation of msblast.exe in the Windows system directory and its execution as a process.
  • Alert on DCOM RPC bind requests to the ISystemActivator interface UUID (4d9f4ab8-7d1c-11cf-861e-0020af6e7c57) over TCP port 135.
  • Look for excessive outbound TCP traffic to windowsupdate.com as a DoS payload indicator from infected hosts.
  • Watch for systems crashing with error code 0xC0000005 (access violation), which is a symptom of exploitation or infection.
  • Detect DCERPC ISystemActivator bind attempts on SMB port 445 using the Snort/Suricata rule matching the byte pattern |A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F within DCERPC bind PDUs (SID 2102193).
  • Scan for the RPC DCOM bind string byte sequence (bindstr) sent to port 135 as an indicator of active exploitation attempts.
  • ·Under some configurations the RPC Endpoint Mapper may receive traffic via port 80, so blocking only 135/139/445/593 may not fully prevent exploitation.
  • ·The universal Metasploit target uses multiple return addresses for NT 4.0 SP3-6a, Windows 2000, XP, and 2003 in a single request, meaning a single malformed packet can exploit multiple OS versions simultaneously.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.