cbcvebase.
CVE-2003-0812
published 2003-12-15

CVE-2003-0812: Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls…

PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
83.27%
99.6th percentile
Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.

Detection & IOCsextracted from sources · hover to see the quote

registryWKSSVC.DLL
pathNetSetup.LOG
other0x74fdee63
other0x77f5801c
other0x77f98db7
other0x77fb59cc
other0x77f9980f
other0x77e14c29
other0x77e3cb4c
other0x71aa32ad
other6bffd098-a112-3610-9833-46c3f87e345a
otherDCERPC opnum 0x1b
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7; metadata:created_at 2010_09_23, cve CVE_2003_0812, signature_severity Informational, updated_at 2019_07_26;)
bytes
|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z
  • Exploit targets the Workstation Service via SMB named pipes; Metasploit uses pipe names BROWSER or WKSSVC (configurable via SMBPIPE option) over ncacn_np transport.
  • The vulnerable DCERPC interface UUID is 6bffd098-a112-3610-9833-46c3f87e345a version 1.0; bind/call to this UUID over SMB named pipe is a strong indicator of exploitation.
  • Exploit requires a null session (anonymous IPC$ connection) to the target before sending the overflow; monitor for anonymous WNetAddConnection2 to IPC$ followed by DCERPC activity.
  • The overflow is triggered via DCERPC opcode 0x1b (NetAddAlternateComputerName / NetValidateName) with a ~5000-byte oversized Unicode name argument; oversized arguments to this opcode are malicious.
  • Snort SID 2102316 detects UDP-based direct Workstation Service DCERPC access; the content match targets the WKSSVC interface UUID bytes on UDP port range 1024+.
  • Post-exploitation bind-shell ports used by public exploit code are 5555 (exploit-db/119), 9191 (exploit-db/130), and 24876 (exploit-db/123); monitor for unexpected listening services on these ports after exploitation.
  • Payload bad characters for this vulnerability include null bytes and common URL/path characters; payloads avoiding these bytes in network traffic can help tune detection.
  • The EIP overwrite offset in the exploit buffer is at byte 2017 (exploit-db/119) or 2044 (exploit-db/130); a ~2000-byte Unicode string argument to NetValidateName/NetAddAlternateComputerName is anomalous.
  • ·The Metasploit module default target is Windows XP SP0/SP1 only; the return address (0x71aa32ad in ws2help.dll) is version-specific and will crash other targets.
  • ·The proof-of-concept (exploit-db/119) was tested only on Win2K SP4 with FAT32 file system and will likely crash other Windows 2000 variants; XP behavior was unknown to the author.
  • ·The exploit requires a successful null (anonymous) IPC$ session to the target; environments that block anonymous SMB connections or null sessions will prevent exploitation.
  • ·The Metasploit module uses a large stack adjustment (-3500 bytes) in the payload to avoid clobbering the shellcode; this is specific to the stack layout of the vulnerable function.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.