cbcvebase.
CVE-2003-0528
published 2003-09-17

CVE-2003-0528: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code…

PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
37.80%
98.4th percentile
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port135
port445
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:16; metadata:created_at 2010_09_23, cve CVE_2003_0528, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17; metadata:created_at 2010_09_23, cve CVE_2003_0528, signature_severity Informational, updated_at 2024_03_08;)
bytes
|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W
bytes
|5C 00|P|00|I|00|P|00|E|00 5C 00|
bytes
|FF|SMB%
  • Detect DCERPC Remote Activation bind attempts over SMB-DS (port 445): match SMB header magic |FF|SMB% at offset 4, followed by DCERPC bind PDU type bytes |05| and |0B|, and the DCOM CLSID byte pattern |B8|4A|9F|4D|1C|7D|CF 11 86 1E 00 20 AF 6E 7C 57| within the packet payload.
  • Detect DCERPC Remote Activation bind attempts over the RPC endpoint mapper (port 135): match DCERPC PDU type bytes |05| and |0B| with the DCOM CLSID byte pattern |B8|4A|9F|4D|1C|7D|CF 11 86 1E 00 20 AF 6E 7C 57|.
  • Tag the full session (5 packets) upon match to capture the complete exploit exchange for forensic analysis.
  • This CVE is related to but distinct from CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715; all three involve malformed DCERPC DCOM object activation request packets with modified length fields targeting RPCSS.
  • ·The Snort rule for port 445 (sid:2102252) is marked confidence Medium and signature_severity Informational, indicating a higher false-positive rate; tune $EXTERNAL_NET/$HOME_NET variables appropriately before deploying in blocking mode.
  • ·Both Snort rules (sid:2102251 and sid:2102252) also reference CVE-2003-0605 and CVE-2003-0715 in addition to CVE-2003-0528; a match does not exclusively confirm CVE-2003-0528 exploitation.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.