CVE-2003-0715
published 2003-09-17CVE-2003-0715: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code…
PriorityP346critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
37.14%
98.3th percentile
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port445
port135
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:16;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17;)
bytes
|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W
bytes
|5C 00|P|00|I|00|P|00|E|00 5C 00|
bytes
|FF|SMB%
- →Exploit targets DCOM object activation over DCERPC; detect DCERPC bind requests (packet type 0x0B) on TCP 135 (MSRPC endpoint mapper) containing the DCOM Remote Activation interface UUID B84A9F4D-1C7D-CF11-861E-0020AF6E7C57
- →On TCP 445 (SMB-DS), look for SMB pipe traffic (\PIPE\) carrying the same DCERPC Remote Activation bind with the DCOM UUID — indicates exploitation tunnelled over SMB named pipes
- →The vulnerability is a heap-based buffer overflow triggered by a malformed DCERPC DCOM object activation request with modified length fields; inspect DCERPC PDU length fields for anomalies in packets matching the Remote Activation bind pattern
- →Tag the full session (5 packets) upon matching the bind attempt to capture the subsequent exploit payload and any shellcode delivery
- ·The Snort rules (sid:2102252, sid:2102251) also reference CVE-2003-0528 and CVE-2003-0605 — they are shared detection rules covering multiple DCOM/RPCSS vulnerabilities, not exclusively CVE-2003-0715. Tune or layer additional checks to distinguish between these related CVEs.
- ·CVE-2003-0715 is explicitly a different vulnerability from CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528; ensure detection logic is not solely relying on Blaster-era signatures which may miss this distinct heap overflow variant.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rx7x-69jw-r2f4: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0528 [HIGH] GHSA-rx7x-69jw-r2f4: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715.
GHSA
GHSA-5f25-6f2x-h9x6: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of s
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0813 [HIGH] CWE-367 GHSA-5f25-6f2x-h9x6: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of s
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.
GHSA
GHSA-79xx-p4p4-fv5q: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2003-0715 [HIGH] GHSA-79xx-p4p4-fv5q: Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrar
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528.
Suricata
GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Suricata
GPL NETBIOS DCERPC Remote Activation bind attempt
suricata·2010-09-23
CVE-2003-0528 GPL NETBIOS DCERPC Remote Activation bind attempt
GPL NETBIOS DCERPC Remote Activation bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Remote Activation bind attempt"; flow:established,to_server; content:"|05|"; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102251; rev:17; metadata:created_at 2010_09_23, cve CVE_2003_0528, signature_severity Informational, updated_at 2024_03_08;)
No public exploits indexed.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=106322856608909&w=2http://www.cert.org/advisories/CA-2003-23.htmlhttp://www.kb.cert.org/vuls/id/483492https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1202https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1813https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A20https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A264https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4224http://marc.info/?l=bugtraq&m=106322856608909&w=2http://www.cert.org/advisories/CA-2003-23.htmlhttp://www.kb.cert.org/vuls/id/483492https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1202https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1813https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A20https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A264https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4224
2003-09-17
Published