CVE-2003-0812
published 2003-12-15CVE-2003-0812: Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.27%
99.6th percentile
Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, cve CVE_2003_0812, signature_severity Informational, updated_at 2019_07_26;)
bytes
|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z
- →Exploit targets the Workstation Service via SMB named pipes; Metasploit uses pipe names BROWSER or WKSSVC (configurable via SMBPIPE option) over ncacn_np transport. ↗
- →The vulnerable DCERPC interface UUID is 6bffd098-a112-3610-9833-46c3f87e345a version 1.0; bind/call to this UUID over SMB named pipe is a strong indicator of exploitation. ↗
- →Exploit requires a null session (anonymous IPC$ connection) to the target before sending the overflow; monitor for anonymous WNetAddConnection2 to IPC$ followed by DCERPC activity. ↗
- →The overflow is triggered via DCERPC opcode 0x1b (NetAddAlternateComputerName / NetValidateName) with a ~5000-byte oversized Unicode name argument; oversized arguments to this opcode are malicious. ↗
- →Snort SID 2102316 detects UDP-based direct Workstation Service DCERPC access; the content match targets the WKSSVC interface UUID bytes on UDP port range 1024+.
- →Post-exploitation bind-shell ports used by public exploit code are 5555 (exploit-db/119), 9191 (exploit-db/130), and 24876 (exploit-db/123); monitor for unexpected listening services on these ports after exploitation. ↗
- →Payload bad characters for this vulnerability include null bytes and common URL/path characters; payloads avoiding these bytes in network traffic can help tune detection. ↗
- →The EIP overwrite offset in the exploit buffer is at byte 2017 (exploit-db/119) or 2044 (exploit-db/130); a ~2000-byte Unicode string argument to NetValidateName/NetAddAlternateComputerName is anomalous. ↗
- ·The Metasploit module default target is Windows XP SP0/SP1 only; the return address (0x71aa32ad in ws2help.dll) is version-specific and will crash other targets. ↗
- ·The proof-of-concept (exploit-db/119) was tested only on Win2K SP4 with FAT32 file system and will likely crash other Windows 2000 variants; XP behavior was unknown to the author. ↗
- ·The exploit requires a successful null (anonymous) IPC$ session to the target; environments that block anonymous SMB connections or null sessions will prevent exploitation. ↗
- ·The Metasploit module uses a large stack adjustment (-3500 bytes) in the payload to avoid clobbering the shellcode; this is specific to the stack layout of the vulnerable function. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL NETBIOS DCERPC Workstation Service direct service access attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS DCERPC Workstation Service direct service access attempt
GPL NETBIOS DCERPC Workstation Service direct service access attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, cve CVE_2003_0812, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL NETBIOS DCERPC Workstation Service direct service bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS DCERPC Workstation Service direct service bind attempt
GPL NETBIOS DCERPC Workstation Service direct service bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:established,to_server; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0812, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102311; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0812, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt
GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102308; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0812, confidence Medium, signature_severity Informatio
Suricata
GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt
GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102310; rev:10; metadata:created_at 2010_09_23, cve CVE_2003_0812, confidence Medium, signature_severity Inf
Suricata
GPL NETBIOS SMB DCERPC Workstation Service bind attempt
suricata·2010-09-23
CVE-2003-0812 GPL NETBIOS SMB DCERPC Workstation Service bind attempt
GPL NETBIOS SMB DCERPC Workstation Service bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102309; rev:8; metadata:created_at 2010_09_23, cve CVE_2003_0812, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, u
Exploit-DB
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
exploitdb·2010-05-09
CVE-2003-0812 Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
Microsoft Workstation Service - NetAddAlternateComputerName Overflow (MS03-049) (Metasploit)
---
##
# $Id: ms03_049_netapi.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft Workstation Service NetAddAlternateComputerName Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName
function using the Workstation service in Windows XP.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[
Exploit-DB
Microsoft Windows XP - Workstation Service Remote (MS03-049)
exploitdb·2003-12-04
CVE-2003-0812 Microsoft Windows XP - Workstation Service Remote (MS03-049)
Microsoft Windows XP - Workstation Service Remote (MS03-049)
---
/* To build new netapi32.lib
pedump /exp netapi32.dll > netapi32.exp
buildlib netapi32.exe netapi32.exp netapi32.lib netapi32.dll
d:\>rpc_wks_bo.exe
WKS service remote exploit MS03-049 by fiNis (fiNis[at]bk[dot]ru), ver:0.1.1
Usage: rpc_wks_bo.exe [-ht]
-h : Target IP
-t : Target type (-t0 for a list)
d:\>rpc_wks_bo.exe -t0
Possible targets are:
1) Window XP Pro + SP0 [Rus]
2) Window XP Pro + SP1 [Rus]
3) Crash all
d:\>rpc_wks_bo.exe -h 192.168.100.7 -t1
[+] Prepare exploit string
[+] Sleep at 2s ...
[+] Setting up IPC$ session...
[+] IPC$ session setup successfully!
[+] Sending exploit ...
[+] Initialize WSAStartup - OK
[+] Socket initialized - OK
[+] Try connecting to 192.168.100.7:9191 ...
[*] Connected to shell a
Exploit-DB
Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049)
exploitdb·2003-11-14
CVE-2003-0812 Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049)
Microsoft Windows - Workstation Service WKSSVC Remote (MS03-049)
---
/*
* Author: snooq
* Date: 14 November 2003
*
* +++++++++++++ THIS IS A PRIVATE VERSION +++++++++++++++
*
* This is just slightly better than the one I posted to
* packetstorm....
*
* The public version will crash 'services.exe' immediately
* while this one crash it only when u exit from shell....
*
* I'm still trying to figure out a way to avoid the 'crash'
* all together... any ideas????
*
* Let me know if you hav trouble compiling this shit...
* I hope this could be a good e.g for u to try Win32
* exploitation..
*
* This code is crappy... if u know of a better way of doing
* things... pls tell me.......
*
* Otherwise, if you guys r keen... I'll be more than happy
* to go thru this in details wif u all... Meanwhile..e
Exploit-DB
Microsoft Windows XP/2000 - Workstation Service Overflow (MS03-049)
exploitdb·2003-11-12
CVE-2003-0812 Microsoft Windows XP/2000 - Workstation Service Overflow (MS03-049)
Microsoft Windows XP/2000 - Workstation Service Overflow (MS03-049)
---
/*
Proof of concept for MS03-049.
This code was tested on a Win2K SP4 with FAT32 file system, and is supposed
to work *only* with that (it will probably crash the the other 2Ks, no clue
about XPs).
To be compiled with lcc-win32 (*hint* link mpr.lib) ... I will not improve
this public version, do not bother to ask.
Credits go to eEye
See original bulletin for more information, it is very well documented.
*/
#include
#include
#include
typedef int (*MYPROC)(LPCWSTR, LPCWSTR, LPCWSTR, LPCWSTR, ULONG);
#define SIZE 2048
// PEX generated port binding shellcode (5555)
unsigned char shellcode[] =
"\x66\x81\xec\x04\x07" // sub sp, 704h
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31"
"\xc9\x81\xe9\xa6\
Metasploit
MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
metasploit
MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow
This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=106859247713009&w=2http://marc.info/?l=bugtraq&m=106865197102041&w=2http://www.cert.org/advisories/CA-2003-28.htmlhttp://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtmlhttp://www.kb.cert.org/vuls/id/567620http://www.securityfocus.com/bid/9011https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-049https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A331https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A575http://marc.info/?l=bugtraq&m=106859247713009&w=2http://marc.info/?l=bugtraq&m=106865197102041&w=2http://www.cert.org/advisories/CA-2003-28.htmlhttp://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtmlhttp://www.kb.cert.org/vuls/id/567620http://www.securityfocus.com/bid/9011https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-049https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A331https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A575
2003-12-15
Published