CVE-2004-0210
published 2004-08-06CVE-2004-0210: The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message…
PriorityP272high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
7.61%
93.8th percentile
The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | interix | — | — |
| microsoft | windows_nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x33\xC0\x66\xB8\xc0\x01\x40\x2B\xE0\xFF\xE4\x00
bytes↗
\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x45\x01\x80\x34\x0b\xee\xe2\xfa\xeb\x05\xe8\xeb\xff\xff\xff
- →Monitor for spawning of posix.exe invoking pax.exe with the '-h' flag via command-line arguments, which is the trigger pattern used by the exploit to initiate the buffer overflow in the POSIX subsystem. ↗
- →Detect use of VirtualAllocEx + WriteProcessMemory + VirtualProtectEx targeting a remote process (psxss.exe / posix.exe) with PAGE_EXECUTE_READWRITE, which is the injection chain used by the exploit. ↗
- →Alert on processes spawning a bind shell on TCP port 60000 on localhost (127.0.0.1) immediately after posix.exe execution, as the shellcode opens a bind shell on that port. ↗
- →Look for the jmp-esp gadget address 0x796E9B53 (advapi32.dll) appearing in memory writes or stack frames during POSIX subsystem exploitation. ↗
- →Detect writes to the hardcoded patch address 0x0100343D within posix.exe address space, which is where the exploit overwrites code to redirect execution. ↗
- →Privilege escalation indicator: a process running as a low-privileged user that subsequently spawns a child shell running as NT AUTHORITY\SYSTEM after posix.exe execution should be treated as a successful exploitation event. ↗
- ·The exploit and hardcoded addresses (PATCHADDR 0x0100343D, RETADDR 0x796E9B53, CANWRITEADDR 0x7ffdf02c) were tested specifically on Windows 2000 SP4 CN; the author notes NT/XP/2003 were NOT TESTED, so these offsets may not be reliable across all target variants. ↗
- ·The bind shell shellcode is XOR-encoded with key 0xEE; network or memory signatures must account for this encoding layer rather than scanning for plaintext shellcode bytes. ↗
- ·The bind port (60000) is hardcoded in the public PoC but is trivially changeable by an attacker; port-based detection alone is insufficient. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Windows Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2004-0210 [HIGH] CWE-120 Microsoft Windows Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2004-0210
Remediation Due Date: 2022-03-24
VulDB
Microsoft Windows NT 4.0/2000 POSIX Subsystem memory corruption (MS04-020 / VU#647436)
vuldb·2026-04-22·CVSS 7.8
CVE-2004-0210 [HIGH] Microsoft Windows NT 4.0/2000 POSIX Subsystem memory corruption (MS04-020 / VU#647436)
A vulnerability was found in Microsoft Windows NT 4.0/2000. It has been declared as critical. This vulnerability affects unknown code of the component POSIX Subsystem. The manipulation results in memory corruption.
This vulnerability is reported as CVE-2004-0210. The attacker must have access to the local network to execute the attack. Moreover, an exploit is present.
A patch should be applied to remediate this issue.
GHSA
GHSA-867p-9w54-69hp: The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifyin
ghsa_unreviewed·2022-04-29
CVE-2004-0210 [HIGH] CWE-120 GHSA-867p-9w54-69hp: The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifyin
The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.
VulnCheck
Microsoft Windows Privilege Escalation Vulnerability
vulncheck·2004·CVSS 7.8
CVE-2004-0210 [HIGH] CWE-120 Microsoft Windows Privilege Escalation Vulnerability
Microsoft Windows Privilege Escalation Vulnerability
A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-03-24
No detection rules found.
No writeups or analysis indexed.
http://www.kb.cert.org/vuls/id/647436http://www.us-cert.gov/cas/techalerts/TA04-196A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-020https://exchange.xforce.ibmcloud.com/vulnerabilities/16590https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2166https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2847http://www.kb.cert.org/vuls/id/647436http://www.us-cert.gov/cas/techalerts/TA04-196A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-020https://exchange.xforce.ibmcloud.com/vulnerabilities/16590https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2166https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2847https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2004-0210
2004-08-06
Published
2022-03-03
Added to CISA KEV
Exploited in the wild