cbcvebase.
CVE-2003-0533
published 2004-06-01

CVE-2003-0533: Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft…

PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
86.15%
99.7th percentile
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port445
port135
path\lsarpc
other3919286a-b10c-11d0-9ba8-00c04fd92ef5
filenameLSASRV.DLL
pathDCPROMO.LOG
commandDsRoleUpgradeDownlevelServer
path\\%s\ipc$
bytes
j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC LSASS bind attempt"; flow:established,to_server; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102507; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0533, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
bytes
\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
bytes
\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
  • Detect DCERPC bind attempts to the LSASS interface UUID 3919286a-b10c-11d0-9ba8-00c04fd92ef5 over ncacn_np \lsarpc on TCP port 135 or 445; the LSASS RPC UUID bytes 6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5 appear in the bind request and are a reliable signature.
  • Exploit establishes a null SMB session to IPC$ before invoking the vulnerable RPC call; alert on unauthenticated WNetAddConnection2 / null-session IPC$ connections followed by DCERPC activity to lsarpc.
  • The Metasploit module uses DCERPC call opnum 9 on the lsarpc pipe; alert on DCERPC requests with opnum 9 to the LSASS interface UUID.
  • Payload bad characters for this exploit are \x00\x0a\x0d\x5c\x5f\x2f\x2e; shellcode in the wild will avoid these bytes. Reverse-shell shellcode starts with the distinctive stub EB 10 5B 4B 33 C9 66 B9 25 01; bind-shell shellcode starts with EB 10 5A 4A 33 C9 66 B9 7D 01.
  • The Sasser worm exploited this vulnerability; monitor for lsass.exe spawning unexpected child processes or network connections, and for abnormal writes to DCPROMO.LOG.
  • DCERPC request fragmentation (FragSize parameter) may be used to evade length-based detection; inspect reassembled DCERPC streams rather than individual fragments.
  • ·The exploit requires two runs against Windows XP targets due to memory layout differences; a single failed attempt should not be treated as a definitive miss.
  • ·The exploit payload space is limited to 1024 bytes with a stack adjustment of -3500; staged payloads or large shellcode will not fit without modification.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.