CVE-2003-0818
published 2004-03-03CVE-2003-0818: Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
84.01%
99.7th percentile
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieAuthorization: Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM
snort
alert http1 $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:established,to_server; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:14; metadata:created_at 2010_09_23, cve CVE_2003_0818, signature_severity Major, updated_at 2024_04_03;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103002; rev:5; metadata:created_at 2010_09_23, cve CVE_2003_0818, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)
bytes↗
\x60\x82\xCC\xCC\x06\x06\x2B\x06\x01\x05\x05\x02\xA0\x82\xCC\xCC\x30\x82\xCC\xCC
bytes↗
\xA1\x05\x23\x03\x03\x01\x07
bytes↗
\x60\x06\x06\x2b\x06\x01\x05\x05\x02\xa0
- →Exploit is delivered over SMB (port 139/445) or HTTP via a malformed SPNEGO/ASN.1 NegTokenInit blob in the Session Setup AndX Request. The security blob begins with Application Constructed Object tag 0x60 followed by SPNEGO OID \x06\x06\x2b\x06\x01\x05\x05\x02 and a malformed negTokenInit (0xa0) containing a crafted ASN.1 BIT STRING. ↗
- →The overflow is triggered by a specially crafted ASN.1 reqFlags BIT STRING field (tag 0xa1 0x05 0x23 0x03 0x03 0x01 0x07) inside the SPNEGO mechListMIC/reqFlags of the NTLMSSP SPNEGO token. ↗
- →Snort ASN.1 preprocessor keywords 'double_overflow', 'bitstring_overflow', and 'oversize_length 2048' can be used to detect malformed ASN.1 in SMB Session Setup traffic on port 139.
- →If exploitation succeeds, LSASS.EXE crashes and the system reboots in 60 seconds; the system can no longer process authentication requests (SMB login or console login denied). An unexpected LSASS crash or sudden system reboot should be treated as a high-confidence indicator of exploitation. ↗
- →The Metasploit module uses 'PROTO' option supporting both 'smb' and 'http' delivery vectors; defenders should monitor both SMB Session Setup traffic and HTTP Authorization headers containing Negotiate tokens for malformed ASN.1. ↗
- →Stage 0 shellcode fixes the PEB FastPebLockRoutine pointer (0x7ffdf020) and cleans the heap; the PEB overwrite target address 0x7ffdf020 can be used as a memory forensics indicator on exploited Windows 2000/XP systems. ↗
- ·Only one exploitation attempt is possible per target session. A failed attempt crashes LSASS and forces a reboot; a successful attempt permanently breaks authentication until reboot. Automated/repeated scanning will cause denial of service. ↗
- ·The Metasploit module's reverse_tcp payloads were confirmed working; bind payloads had reliability issues. Payload space is limited to 1024 bytes with a stack adjustment of -3500. ↗
- ·The module is flagged as too destructive for automated exploitation and autofilter returns false; it targets Windows 2000 SP2-SP4 and Windows XP SP0-SP1 only. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7wp6-vjqc-vxjv: Heap-based buffer overflow in the BERDecBitString function in Microsoft ASN
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2005-1935 [HIGH] GHSA-7wp6-vjqc-vxjv: Heap-based buffer overflow in the BERDecBitString function in Microsoft ASN
Heap-based buffer overflow in the BERDecBitString function in Microsoft ASN.1 library (MSASN1.DLL) allows remote attackers to execute arbitrary code via nested constructed bit strings, which leads to a realloc of a non-null pointer and causes the function to overwrite previously freed memory, as demonstrated using a SPNEGO token with a constructed bit string during HTTP authentication, and a different vulnerability than CVE-2003-0818. NOTE: the researcher has claimed that MS:MS04-007 fixes this issue.
GHSA
GHSA-whjg-p56q-xrf9: Multiple integer overflows in Microsoft ASN
ghsa_unreviewed·2022-04-29
CVE-2003-0818 [HIGH] GHSA-whjg-p56q-xrf9: Multiple integer overflows in Microsoft ASN
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
Suricata
GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt
suricata·2010-09-23
CVE-2003-0818 GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt
GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt
Rule: alert http1 $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:established,to_server; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:14; metadata:created_at 2010_09_23, cve CVE_2003_0818, signature_severity Major, updated_at 2024_04_03;)
Suricata
GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt
GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-
Suricata
GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:established,to_server; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:13; metadata:created_at 2010_09_23, cve CVE_2003_0818, confidence Medium, signature_severity Informational, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2102383; rev:21; metadata:created_at 2010_09_23, cve CVE_2003_0818, confidence Medi
Suricata
GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103003; rev:7; metadata:created_at 2010_09_23, cve CVE_2003_0818, c
Suricata
GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt
GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:established,to_server; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:12; metadata:created_at 2010_09_23, cve CVE_2003_0818, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Suricata
GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt
suricata·2010-09-23
CVE-2003-0818 GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt
GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; class
Exploit-DB
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
exploitdb·2010-07-25
CVE-2003-0818 Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007) (Metasploit)
---
##
# $Id: ms04_007_killbill.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft ASN.1 Library Bitstring Heap Overflow',
'Description' => %q{
This is an exploit for a previously undisclosed
vulnerability in the bit string decoding code in the
Microsoft ASN.1 library. This vulnerability is not related
to the bit string vulnerability described in eEye advisory
AD20040210-2. Both vulnerabilities were fixed in the
MS04
Exploit-DB
Microsoft Windows - ASN.1 Remote (MS04-007)
exploitdb·2004-03-26·CVSS 7.5
CVE-2003-0818 [HIGH] Microsoft Windows - ASN.1 Remote (MS04-007)
Microsoft Windows - ASN.1 Remote (MS04-007)
---
# Microsoft ASN.1 remote exploit for CVE-2005-1935 // MS04-007
# Solar Eclipse
# solareclipse at phreedom dot org
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3022.tar.gz (12262006-killbill.tar.gz)
# milw0rm.com [2004-03-26]
Exploit-DB
Microsoft Windows - ASN.1 'LSASS.exe' Remote Denial of Service (MS04-007)
exploitdb·2004-02-14
CVE-2003-0818 Microsoft Windows - ASN.1 'LSASS.exe' Remote Denial of Service (MS04-007)
Microsoft Windows - ASN.1 'LSASS.exe' Remote Denial of Service (MS04-007)
---
/*
* MS04-007 Exploit LSASS.EXE Win2k Pro Remote Denial-of-Service
*
* Copyright (C) 2004 Christophe Devine
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the F
Metasploit
MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow
metasploit
MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow
MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow
This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this vulnerability. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper fun
Tenable
Verizon 2016 DBIR – Most Interesting Things
blogs_tenable·2016-05-18
Verizon 2016 DBIR – Most Interesting Things
by Andrew Freeborn May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This dashboard can ass
Tenable
Verizon 2016 DBIR – Most Common Vulnerabilities
blogs_tenable·2016-05-18
Verizon 2016 DBIR – Most Common Vulnerabilities
by Andrew Freeborn May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that can assist organizations in meeting many of the recommendations and best practices in the DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This ARC can assist an org
http://marc.info/?l=bugtraq&m=107643836125615&w=2http://marc.info/?l=bugtraq&m=107643892224825&w=2http://marc.info/?l=ntbugtraq&m=107650972617367&w=2http://marc.info/?l=ntbugtraq&m=107650972723080&w=2http://www.kb.cert.org/vuls/id/216324http://www.kb.cert.org/vuls/id/583108http://www.us-cert.gov/cas/techalerts/TA04-041A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-007https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A653https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A796https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A797https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A799http://marc.info/?l=bugtraq&m=107643836125615&w=2http://marc.info/?l=bugtraq&m=107643892224825&w=2http://marc.info/?l=ntbugtraq&m=107650972617367&w=2http://marc.info/?l=ntbugtraq&m=107650972723080&w=2http://www.kb.cert.org/vuls/id/216324http://www.kb.cert.org/vuls/id/583108http://www.us-cert.gov/cas/techalerts/TA04-041A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-007https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A653https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A796https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A797https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A799
2004-03-03
Published