cbcvebase.
CVE-2003-0813
published 2003-11-17

CVE-2003-0813: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service…

PriorityP422medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EPSS
14.84%
96.3th percentile
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port445
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:established,to_server; flowbits:set,dce.isystemactivator.bind.call.attempt; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:10;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind.call.attempt; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:11;)
bytes
|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|
bytes
|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F
  • Track the two-stage attack flow: first detect an ISystemActivator DCERPC unicode bind on TCP/445 (sid:2102491, sets flowbit dce.isystemactivator.bind.call.attempt), then detect the follow-on ORPCThis request flood (sid:2102496, requires that flowbit to be set). Both rules must fire in sequence for full coverage.
  • The flood-stage rule triggers when 20 or more ORPCThis requests are sent to the same destination within 60 seconds — use threshold-based alerting (type both, track by_dst, count 20, seconds 60) to reduce noise while still catching the DoS condition.
  • The ISystemActivator bind packet contains a unicode \PIPE\ path encoded as |5C 00 50 00 49 00 50 00 45 00 5C 00| followed by DCERPC bind opcode bytes |05 00 0B|; match this byte sequence within the SMB named-pipe write to TCP/445.
  • The ISystemActivator CLSID/IID tail bytes |A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F appear in the bind request and can serve as a secondary content match to reduce false positives.
  • The exploit payload for the ORPCThis flood stage contains the ASCII string 'MEOW'; its presence in repeated DCERPC requests to TCP/445 is a strong indicator of active exploitation.
  • ·Both Snort rules are classified as 'Informational' severity and 'Medium' confidence, meaning they may fire on legitimate DCOM traffic; tune $HOME_NET and $EXTERNAL_NET variables appropriately and validate flowbit state before acting on alerts.
  • ·The vulnerability is only exploitable when the MS03-039 patch is installed but MS04-011 is not; systems fully patched to MS04-011 or later are not affected. Prioritise detection on hosts in that specific patch window.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.