cbcvebase.
CVE-2003-0818
published 2004-03-03

CVE-2003-0818: Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
84.01%
99.7th percentile
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

Affected

7 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port445
port139
cookieAuthorization: Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM
filenameMSASN1.DLL
processLSASS.EXE
snort
alert http1 $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:established,to_server; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:14; metadata:created_at 2010_09_23, cve CVE_2003_0818, signature_severity Major, updated_at 2024_04_03;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5; metadata:created_at 2010_09_23, cve CVE_2003_0818, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
bytes
\x60\x82\xCC\xCC\x06\x06\x2B\x06\x01\x05\x05\x02\xA0\x82\xCC\xCC\x30\x82\xCC\xCC
bytes
\xA1\x05\x23\x03\x03\x01\x07
bytes
\x60\x06\x06\x2b\x06\x01\x05\x05\x02\xa0
  • Exploit is delivered over SMB (port 139/445) or HTTP via a malformed SPNEGO/ASN.1 NegTokenInit blob in the Session Setup AndX Request. The security blob begins with Application Constructed Object tag 0x60 followed by SPNEGO OID \x06\x06\x2b\x06\x01\x05\x05\x02 and a malformed negTokenInit (0xa0) containing a crafted ASN.1 BIT STRING.
  • The overflow is triggered by a specially crafted ASN.1 reqFlags BIT STRING field (tag 0xa1 0x05 0x23 0x03 0x03 0x01 0x07) inside the SPNEGO mechListMIC/reqFlags of the NTLMSSP SPNEGO token.
  • Snort ASN.1 preprocessor keywords 'double_overflow', 'bitstring_overflow', and 'oversize_length 2048' can be used to detect malformed ASN.1 in SMB Session Setup traffic on port 139.
  • If exploitation succeeds, LSASS.EXE crashes and the system reboots in 60 seconds; the system can no longer process authentication requests (SMB login or console login denied). An unexpected LSASS crash or sudden system reboot should be treated as a high-confidence indicator of exploitation.
  • The Metasploit module uses 'PROTO' option supporting both 'smb' and 'http' delivery vectors; defenders should monitor both SMB Session Setup traffic and HTTP Authorization headers containing Negotiate tokens for malformed ASN.1.
  • Stage 0 shellcode fixes the PEB FastPebLockRoutine pointer (0x7ffdf020) and cleans the heap; the PEB overwrite target address 0x7ffdf020 can be used as a memory forensics indicator on exploited Windows 2000/XP systems.
  • ·Only one exploitation attempt is possible per target session. A failed attempt crashes LSASS and forces a reboot; a successful attempt permanently breaks authentication until reboot. Automated/repeated scanning will cause denial of service.
  • ·The Metasploit module's reverse_tcp payloads were confirmed working; bind payloads had reliability issues. Payload space is limited to 1024 bytes with a stack adjustment of -3500.
  • ·The module is flagged as too destructive for automated exploitation and autofilter returns false; it targets Windows 2000 SP2-SP4 and Windows XP SP0-SP1 only.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.