CVE-2003-0813
published 2003-11-17CVE-2003-0813: A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service…
PriorityP422medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EPSS
14.84%
96.3th percentile
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port445
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:established,to_server; flowbits:set,dce.isystemactivator.bind.call.attempt; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:10;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind.call.attempt; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:11;)
bytes
|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|
bytes
|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F
- →Track the two-stage attack flow: first detect an ISystemActivator DCERPC unicode bind on TCP/445 (sid:2102491, sets flowbit dce.isystemactivator.bind.call.attempt), then detect the follow-on ORPCThis request flood (sid:2102496, requires that flowbit to be set). Both rules must fire in sequence for full coverage.
- →The flood-stage rule triggers when 20 or more ORPCThis requests are sent to the same destination within 60 seconds — use threshold-based alerting (type both, track by_dst, count 20, seconds 60) to reduce noise while still catching the DoS condition.
- →The ISystemActivator bind packet contains a unicode \PIPE\ path encoded as |5C 00 50 00 49 00 50 00 45 00 5C 00| followed by DCERPC bind opcode bytes |05 00 0B|; match this byte sequence within the SMB named-pipe write to TCP/445.
- →The ISystemActivator CLSID/IID tail bytes |A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F appear in the bind request and can serve as a secondary content match to reduce false positives.
- →The exploit payload for the ORPCThis flood stage contains the ASCII string 'MEOW'; its presence in repeated DCERPC requests to TCP/445 is a strong indicator of active exploitation.
- ·Both Snort rules are classified as 'Informational' severity and 'Medium' confidence, meaning they may fire on legitimate DCOM traffic; tune $HOME_NET and $EXTERNAL_NET variables appropriately and validate flowbit state before acting on alerts.
- ·The vulnerability is only exploitable when the MS03-039 patch is installed but MS04-011 is not; systems fully patched to MS04-011 or later are not affected. Prioritise detection on hosts in that specific patch window.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt
suricata·2010-09-23
CVE-2003-0813 GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt
GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:established,to_server; flowbits:set,dce.isystemactivator.bind.call.attempt; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:10;
Suricata
GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt
suricata·2010-09-23
CVE-2003-0813 GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt
GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind.call.attempt; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0813, confidence Medium, signature_severity Informational, updated_at 2024_03_14;)
No public exploits indexed.
No writeups or analysis indexed.
CWE
Use After Free
mitre_cwe
CWE-416 Use After Free
CWE-416: Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Memory. The use of previously freed memory may corrupt valid data, if the memory area in question has been allocated and used properly elsewhere.
Scope: Availability. Impact: DoS: Crash, Exit, or Restart. If chunk consolidation occurs after the use of previously freed data, the process may crash
CWE
Time-of-check Time-of-use (TOCTOU) Race Condition
mitre_cwe
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Modes of Introduction:
Phase: Implementation
Note: This weakness can be security-relevant when an attacker can influence the state of the resource between check and use. This can happen with shared resources such as files, memory, or even variables in multithreaded programs.
Common Consequences:
Scope: Integrity, Other. Impact: Alter Execution Logic, Unexpected State. The attacker can gain access to otherwise unauthorized resources.
Scope: Integrity, Other. Impact: Modify Application Data, Modify Files or Directories, Modify Memory, Other. Rac
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011870.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011886.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011901.htmlhttp://marc.info/?l=bugtraq&m=106579825211708&w=2http://marc.info/?l=bugtraq&m=106588827513795&w=2http://marc.info/?l=ntbugtraq&m=106580303918155&w=2http://www.kb.cert.org/vuls/id/547820http://www.securityfocus.com/bid/8811http://www.securitylab.ru/_exploits/rpc2.c.txthttp://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttp://xforce.iss.net/xforce/alerts/id/155https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A893https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A894https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A900http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011870.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011886.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011901.htmlhttp://marc.info/?l=bugtraq&m=106579825211708&w=2http://marc.info/?l=bugtraq&m=106588827513795&w=2http://marc.info/?l=ntbugtraq&m=106580303918155&w=2http://www.kb.cert.org/vuls/id/547820http://www.securityfocus.com/bid/8811http://www.securitylab.ru/_exploits/rpc2.c.txthttp://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttp://xforce.iss.net/xforce/alerts/id/155https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A893https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A894https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A900
2003-11-17
Published