CVE-2004-0120
published 2004-06-01CVE-2004-0120: The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
55.58%
98.9th percentile
The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
16 03 00 03 B8 01 00 03 B4 00 03 B1 00 03 AE
bytes↗
00 39 00 38 00 35 00 16 00 13 00 0A 00 33 00 32 00 2F 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03
- →The exploit sends a malformed SSL/TLS handshake to the target. Detection should look for a TCP connection on the SSL port followed by a ClientHello and then a large (~1308-byte) malformed handshake record starting with bytes 0x16 0x03 0x00 0x03 0xB8, which is an oversized TLS Handshake record (content type 0x16, version 0x03 0x00, length 0x03B8). ↗
- →The exploit targets Microsoft IIS 5.0 with SSL enabled. The attack is a two-stage sequence: first a valid SSL/TLS ClientHello is sent, then a malformed 'bomb' payload is written to the same connection. Network detection should alert on the specific malformed record following a completed ClientHello exchange. ↗
- →The exploit supports both SSL (version bytes 0x03 0x00) and TLS (version bytes 0x03 0x01) modes. In TLS mode, bin_data[2] is patched to 0x01. Detection rules should cover both SSL 3.0 (0x03 0x00) and TLS 1.0 (0x03 0x01) variants of the malformed record. ↗
- ·The exploit targets IIS 5.0 with SSL specifically; the CVE also affects Windows 2000, Windows XP, and Windows Server 2003 SSL libraries more broadly, so the attack surface is not limited to IIS. ↗
- ·The target port is user-supplied at runtime and is not hardcoded to 443; detection rules should not be limited to port 443 alone but should cover any port where SSL/TLS is served. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.ciac.org/ciac/bulletins/o-114.shtmlhttp://www.kb.cert.org/vuls/id/150236http://www.securityfocus.com/bid/10115http://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011https://exchange.xforce.ibmcloud.com/vulnerabilities/15712https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A885https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A886https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A892http://www.ciac.org/ciac/bulletins/o-114.shtmlhttp://www.kb.cert.org/vuls/id/150236http://www.securityfocus.com/bid/10115http://www.us-cert.gov/cas/techalerts/TA04-104A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011https://exchange.xforce.ibmcloud.com/vulnerabilities/15712https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A885https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A886https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A892
2004-06-01
Published