CVE-2003-0528
published 2003-09-17CVE-2003-0528: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code…
PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
37.80%
98.4th percentile
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port135
port445
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:16; metadata:created_at 2010_09_23, cve CVE_2003_0528, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17; metadata:created_at 2010_09_23, cve CVE_2003_0528, signature_severity Informational, updated_at 2024_03_08;)
bytes
|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W
bytes
|5C 00|P|00|I|00|P|00|E|00 5C 00|
bytes
|FF|SMB%
- →Detect DCERPC Remote Activation bind attempts over SMB-DS (port 445): match SMB header magic |FF|SMB% at offset 4, followed by DCERPC bind PDU type bytes |05| and |0B|, and the DCOM CLSID byte pattern |B8|4A|9F|4D|1C|7D|CF 11 86 1E 00 20 AF 6E 7C 57| within the packet payload.
- →Detect DCERPC Remote Activation bind attempts over the RPC endpoint mapper (port 135): match DCERPC PDU type bytes |05| and |0B| with the DCOM CLSID byte pattern |B8|4A|9F|4D|1C|7D|CF 11 86 1E 00 20 AF 6E 7C 57|.
- →Tag the full session (5 packets) upon match to capture the complete exploit exchange for forensic analysis.
- →This CVE is related to but distinct from CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715; all three involve malformed DCERPC DCOM object activation request packets with modified length fields targeting RPCSS.
- ·The Snort rule for port 445 (sid:2102252) is marked confidence Medium and signature_severity Informational, indicating a higher false-positive rate; tune $EXTERNAL_NET/$HOME_NET variables appropriately before deploying in blocking mode.
- ·Both Snort rules (sid:2102251 and sid:2102252) also reference CVE-2003-0605 and CVE-2003-0715 in addition to CVE-2003-0528; a match does not exclusively confirm CVE-2003-0528 exploitation.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rx7x-69jw-r2f4: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0528 [HIGH] GHSA-rx7x-69jw-r2f4: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.
GHSA
GHSA-5f25-6f2x-h9x6: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of s
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0813 [HIGH] CWE-367 GHSA-5f25-6f2x-h9x6: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of s
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.
GHSA
GHSA-79xx-p4p4-fv5q: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0715 [HIGH] GHSA-79xx-p4p4-fv5q: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.
Suricata
GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Suricata
GPL NETBIOS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS DCERPC Remote Activation bind attempt
GPL NETBIOS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17; metadata:created_at 2010_09_23, cve CVE_2003_0528, signature_severity Informational, updated_at 2024_03_08;)
No public exploits indexed.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0100.htmlhttp://marc.info/?l=bugtraq&m=106407417011430&w=2http://www.cert.org/advisories/CA-2003-23.htmlhttp://www.kb.cert.org/vuls/id/254236http://www.nsfocus.com/english/homepage/research/0306.htmhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A127https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2884https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2968https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3966http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0100.htmlhttp://marc.info/?l=bugtraq&m=106407417011430&w=2http://www.cert.org/advisories/CA-2003-23.htmlhttp://www.kb.cert.org/vuls/id/254236http://www.nsfocus.com/english/homepage/research/0306.htmhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A127https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2884https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2968https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3966
2003-09-17
Published