CVE-2003-0717
published 2003-11-17CVE-2003-0717: The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.46%
99.1th percentile
The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port445/tcp
bytes↗
\x04\x00\x28\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0\x4f\xb6\xe6\xfc
bytes↗
0x14 (body fill byte triggering CR+LF expansion overflow)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0717, confidence High, signature_severity Informational, updated_at 2019_07_26;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0717, confidence High, signature_severity Major, updated_at 2024_03_08;)
- →Exploit sends a UDP packet to port 135 (DCERPC endpoint mapper). The packet begins with the 4-byte magic \x04\x00\x28\x00 followed by the DCERPC UUID \xf8\x91\x7b\x5a\x00\xff\xd0\x11\xa9\xb2\x00\xc0\x4f\xb6\xe6\xfc. Detect this header pattern on UDP/135. ↗
- →The overflow is triggered by filling the message body with 0x14 bytes. When 0x14 is encountered it is replaced by CR+LF, doubling the size and overflowing a fixed 0x11CA-byte buffer. Detect large UDP/135 DCERPC Messenger packets whose body is predominantly 0x14 bytes. ↗
- →RCE exploit variant binds a command shell on TCP port 9191 post-exploitation. Monitor for unexpected listening services or outbound connections on port 9191 on Windows hosts. ↗
- →The exploit also reaches the target over TCP/445 via SMB named pipe \PIPE\. The Snort rule detects the SMB-DS variant by matching the \x5C\x00P\x00I\x00P\x00E\x00\x5C\x00 (\PIPE\) string followed by the DCERPC \x04\x00 header and an oversized field (>1024 bytes).
- →The RCE exploit uses CRYPTSVC.DLL (Win2k SP3) and RPCRT4.DLL (WinXP SP1) as trampoline gadgets (call [esi+48h] / call [edi+6ch]). Unexpected executable code flow through these modules' gadget addresses is a strong indicator of exploitation. ↗
- ·The Snort UDP rule (sid:2102257) targets port 135 only and will not catch the SMB-DS variant delivered over TCP/445 (covered by sid:2102258). Both rules must be deployed for full coverage.
- ·The DoS PoC was tested against Win2K SP4; the RCE exploit was tested on Windows XP SP1 and Windows 2000 SP3 English. Behaviour on other service-pack levels is not confirmed by the sources. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt
suricata·2010-09-23
CVE-2003-0717 GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt
GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:established,to_server; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:11; metadata:created_at 2010
Suricata
GPL NETBIOS DCERPC Messenger Service buffer overflow attempt
suricata·2010-09-23
CVE-2003-0717 GPL NETBIOS DCERPC Messenger Service buffer overflow attempt
GPL NETBIOS DCERPC Messenger Service buffer overflow attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0717, confidence High, signature_severity Informational, updated_at 2019_07_26;)
Exploit-DB
Microsoft Messenger (Linux) - Denial of Service (MS03-043)
exploitdb·2004-08-08
CVE-2003-0717 Microsoft Messenger (Linux) - Denial of Service (MS03-043)
Microsoft Messenger (Linux) - Denial of Service (MS03-043)
---
/*
Mon Oct 20 14:26:55 NZDT 2003
Re-written By VeNoMouS to be ported to linux, and tidy it up a little.
This was only like a 5 minute port but it works and has been tested.
venomgen-x.co.nz
greets to str0ke and defy
DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the
machine reboot. Tested against a Win2K SP4.
"The vulnerability results because the Messenger Service does not
properly validate the length of a message before passing it to the allocated
buffer" according to MS bulletin. Digging into it a bit more, we find that
when
a character 0x14 in encountered in the 'body' part of the message, it is
replaced by a CR+LF. The buffer allo
Exploit-DB
Microsoft Windows Messenger Service (French) - Remote (MS03-043)
exploitdb·2003-12-16
CVE-2003-0717 Microsoft Windows Messenger Service (French) - Remote (MS03-043)
Microsoft Windows Messenger Service (French) - Remote (MS03-043)
---
/*******************************************************************/
/* [Crpt] MS03-043 - Messenger exploit by MrNice [Crpt] */
/* --------------------------------------------------------------- */
/* */
/* This Sploit use the unhandledexceptionfilter to redirect */
/* the execution. When overflow occur we have : */
/* */
/* mov eax,esi+8 */
/* mov ecx,esi+Ch */
/* mov dword ptr ds:[ecx],eax */
/* */
/* so we control ecx and edx and we can write 4 bytes */
/* where we want. */
/* If we try to write in a not writable memory zone, an */
/* excepetion is lauched and unhandledexceptionfilter too. */
/* */
/* A part of unhandledexceptionfilter : */
/* */
/* mov eax, dword_0_77ECF44C(=where) */
/* cmp eax, ebx */
/* jz short
Exploit-DB
Microsoft Windows XP/2000 - Messenger Service Buffer Overrun (MS03-043)
exploitdb·2003-10-25
CVE-2003-0717 Microsoft Windows XP/2000 - Messenger Service Buffer Overrun (MS03-043)
Microsoft Windows XP/2000 - Messenger Service Buffer Overrun (MS03-043)
---
// source: https://www.securityfocus.com/bid/8826/info
Microsoft Windows Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. This is due to insufficient bounds checking of messages before they are passed to an internal buffer. Exploitation could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise.
/************************************************************************************
Exploit for Microsoft Windows Messenger Heap Overflow (MS03-043)
based on PoC DoS by [email protected]
by Adik
http://netninja.to.kg
Binds command shell on port 9191
Tested on
Windows XP Professional SP1 English version
Exploit-DB
Microsoft Windows Messenger Service - Denial of Service (MS03-043)
exploitdb·2003-10-18
CVE-2003-0717 Microsoft Windows Messenger Service - Denial of Service (MS03-043)
Microsoft Windows Messenger Service - Denial of Service (MS03-043)
---
/*
DoS Proof of Concept for MS03-043 - exploitation shouldn't be too hard.
Launching it one or two times against the target should make the
machine reboot. Tested against a Win2K SP4.
"The vulnerability results because the Messenger Service does not
properly validate the length of a message before passing it to the allocated
buffer" according to MS bulletin. Digging into it a bit more, we find that when
a character 0x14 in encountered in the 'body' part of the message, it is
replaced by a CR+LF. The buffer allocated for this operation is twice the size
of the string, which is the way to go, but is then copied to a buffer which
was only allocated 11CAh bytes. Thanks to that, we can bypass the length checks
and overfl
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=106666713812158&w=2http://marc.info/?l=ntbugtraq&m=106632188709562&w=2http://www.cert.org/advisories/CA-2003-27.htmlhttp://www.kb.cert.org/vuls/id/575892http://www.securityfocus.com/bid/8826https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-043https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A213https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A268http://marc.info/?l=bugtraq&m=106666713812158&w=2http://marc.info/?l=ntbugtraq&m=106632188709562&w=2http://www.cert.org/advisories/CA-2003-27.htmlhttp://www.kb.cert.org/vuls/id/575892http://www.securityfocus.com/bid/8826https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-043https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A213https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A268
2003-11-17
Published