cbcvebase.
CVE-2004-0567
published 2004-12-31

CVE-2004-0567: The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.29%
99.4th percentile
The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

port42 (WINS TCP port, target service)
bytes
\x00\x03\x0d\x4c\x77\x77\xFF\x77\x05\x4e\x00\x3c\x01\x02\x03\x04
bytes
\xeb\x25\xe9\xfa\x99\xd3\x77\xf6\x02\x06\x6c\x59\x6c\x59\xf8\x1d\x9c\xde\x8c\xd1\x4c\x70\xd4\x03\x58\x46\x57\x53\x32\x5f\x33\x32\x2e\x44\x4c\x4c
  • Monitor for anomalous inbound TCP connections to the WINS service (port 42) containing the malformed packet header bytes 00 03 0d 4c 77 77 FF 77 05 4e 00 3c, which is the exploit trigger packet for CVE-2004-0567.
  • The exploit shellcode uses XOR obfuscation with key 0x93939393 for the callback IP and 0x9393 for the callback port embedded in the payload; scan WINS traffic for payloads containing the repeating byte pattern 93 93 93 93.
  • The exploit sends a large (~200 KB) repeated pattern buffer to the WINS service; alert on unusually large TCP payloads destined for port 42 (WINS).
  • The vulnerability is an unchecked buffer in WINS computer name validation; the WINS service (wins.exe) crashing or restarting unexpectedly on Windows 2000 SP3/SP4 or Windows Server 2003 may indicate exploitation attempts.
  • ·The exploit targets Windows 2000 SP3/SP4 specifically; the author notes it 'probably' works across all language versions, but the hardcoded offsets and shellcode may not be reliable across all patch levels of NT4 SP6a, NT Terminal Server 4.0 SP6, or Windows Server 2003 also listed as vulnerable.
  • ·The callback IP and port in the shellcode are XOR-encoded at runtime; static byte-pattern signatures for the shellcode must account for the variable encoded bytes at offsets 2–5 (port) and 4–7 (IP) within the shellcode buffer.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.