cbcvebase.
CVE-2004-0210
published 2004-08-06

CVE-2004-0210: The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message…

PriorityP272high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
7.61%
93.8th percentile
The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinterix
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

commandposix.exe /P <systemdir>\system32\pax.exe /C pax -h
processposix.exe
processpax.exe
bytes
\x33\xC0\x66\xB8\xc0\x01\x40\x2B\xE0\xFF\xE4\x00
bytes
\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x45\x01\x80\x34\x0b\xee\xe2\xfa\xeb\x05\xe8\xeb\xff\xff\xff
  • Monitor for spawning of posix.exe invoking pax.exe with the '-h' flag via command-line arguments, which is the trigger pattern used by the exploit to initiate the buffer overflow in the POSIX subsystem.
  • Detect use of VirtualAllocEx + WriteProcessMemory + VirtualProtectEx targeting a remote process (psxss.exe / posix.exe) with PAGE_EXECUTE_READWRITE, which is the injection chain used by the exploit.
  • Alert on processes spawning a bind shell on TCP port 60000 on localhost (127.0.0.1) immediately after posix.exe execution, as the shellcode opens a bind shell on that port.
  • Look for the jmp-esp gadget address 0x796E9B53 (advapi32.dll) appearing in memory writes or stack frames during POSIX subsystem exploitation.
  • Detect writes to the hardcoded patch address 0x0100343D within posix.exe address space, which is where the exploit overwrites code to redirect execution.
  • Privilege escalation indicator: a process running as a low-privileged user that subsequently spawns a child shell running as NT AUTHORITY\SYSTEM after posix.exe execution should be treated as a successful exploitation event.
  • ·The exploit and hardcoded addresses (PATCHADDR 0x0100343D, RETADDR 0x796E9B53, CANWRITEADDR 0x7ffdf02c) were tested specifically on Windows 2000 SP4 CN; the author notes NT/XP/2003 were NOT TESTED, so these offsets may not be reliable across all target variants.
  • ·The bind shell shellcode is XOR-encoded with key 0xEE; network or memory signatures must account for this encoding layer rather than scanning for plaintext shellcode bytes.
  • ·The bind port (60000) is hardcoded in the public PoC but is trivially changeable by an attacker; port-based detection alone is insufficient.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.