cbcvebase.
CVE-2004-0120
published 2004-06-01

CVE-2004-0120: The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of…

PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
55.58%
98.9th percentile
The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

bytes
16 03 00 03 B8 01 00 03 B4 00 03 B1 00 03 AE
bytes
00 39 00 38 00 35 00 16 00 13 00 0A 00 33 00 32 00 2F 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 64 00 60 00 14 00 11 00 08 00 06 00 03
  • The exploit sends a malformed SSL/TLS handshake to the target. Detection should look for a TCP connection on the SSL port followed by a ClientHello and then a large (~1308-byte) malformed handshake record starting with bytes 0x16 0x03 0x00 0x03 0xB8, which is an oversized TLS Handshake record (content type 0x16, version 0x03 0x00, length 0x03B8).
  • The exploit targets Microsoft IIS 5.0 with SSL enabled. The attack is a two-stage sequence: first a valid SSL/TLS ClientHello is sent, then a malformed 'bomb' payload is written to the same connection. Network detection should alert on the specific malformed record following a completed ClientHello exchange.
  • The exploit supports both SSL (version bytes 0x03 0x00) and TLS (version bytes 0x03 0x01) modes. In TLS mode, bin_data[2] is patched to 0x01. Detection rules should cover both SSL 3.0 (0x03 0x00) and TLS 1.0 (0x03 0x01) variants of the malformed record.
  • ·The exploit targets IIS 5.0 with SSL specifically; the CVE also affects Windows 2000, Windows XP, and Windows Server 2003 SSL libraries more broadly, so the attack surface is not limited to IIS.
  • ·The target port is user-supplied at runtime and is not hardcoded to 443; detection rules should not be limited to port 443 alone but should cover any port where SSL/TLS is served.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.