cbcvebase.
CVE-2004-0206
published 2004-11-03

CVE-2004-0206: Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
77.00%
99.5th percentile
Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port445
path\PIPE\nddeapi
other2f5f3220-c126-1076-b549-074d078619da v1.2
commandDCE/RPC opcode 0x0C (NDdeSetTrustedShareW)
port139
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; flowbits:set,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:8;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; flowbits:set,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:6;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7;)
bytes
NDDEAPI DCE/RPC bind UUID: 2f5f3220-c126-1076-b549-074d078619da (content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|")
  • The exploit requires prior SMB authentication before accessing the NDDEAPI named pipe; detect authenticated SMB sessions that subsequently open the \PIPE\nddeapi named pipe.
  • Monitor for DCE/RPC bind requests to UUID 2f5f3220-c126-1076-b549-074d078619da (version 1.2) over ncacn_np transport targeting the nddeapi pipe.
  • Alert on DCE/RPC calls to opcode 0x0C (NDdeSetTrustedShareW) on the nddeapi pipe where the data payload exceeds 256 bytes without a null terminator, indicating a buffer overflow attempt.
  • Use flowbits to track the SMB tree connect to nddeapi and then flag subsequent DCE/RPC bind and function call activity on that session.
  • The exploit targets only Windows 2000 SP4 and Windows XP SP0; presence of the NetDDE service running on these OS versions is a prerequisite indicator.
  • ·The Metasploit module only has a return address target for Windows 2000 SP4 (ret: 0x77e56f43); other OS versions listed in the PoC (XP SP0/SP1, 2000 SP2/SP3) may require different offsets.
  • ·The Snort rules for the bind attempt are classified as Informational severity, meaning they detect reconnaissance/setup activity rather than confirmed exploitation; the overflow attempt rule (sid:2102948) is classified attempted-admin.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.