cbcvebase.
CVE-2007-1748
published 2007-04-13

CVE-2007-1748: Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and…

PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.13%
99.5th percentile
Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

other50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
otherRPC UUID 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 v5.0
path\DNSSERVER
port4444
port4444
port445
commandDnssrvOperation() with long zone name containing escaped octal strings
bytes
05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 00 00 01 00 A4 C2 AB 50 4D 57 B3 40 9D 66 EE 4F D5 FB A0 76 05 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00
bytes
05 00 00 83 10 00 00 00 7f 06 00 00 01 00 00 00 57 06 00 00 00 00 01 00 a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76
  • Detect exploit attempts by monitoring for DCE/RPC bind requests to UUID 50abc2a4-574d-40b3-9d66-ee4fd5fba076 (DNS Server RPC) over ncacn_ip_tcp on dynamic high ports, especially with abnormally long zone name parameters (>1200 bytes) containing backslash-escaped octal sequences.
  • Monitor for DCE/RPC calls to the DNS Server RPC interface (UUID 50abc2a4-574d-40b3-9d66-ee4fd5fba076) via the named pipe \DNSSERVER over SMB (port 445), which requires valid credentials — flag authenticated RPC calls with oversized zone name parameters.
  • Alert on outbound connections from DNS server processes (dns.exe) to port 4444, which is the default backdoor/bind-shell port used by all known public exploits for this CVE.
  • Use the EPM (endpoint mapper, port 135) to detect pre-exploit reconnaissance: attackers query the endpoint mapper for UUID 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 to discover the dynamic DNS RPC TCP port before launching the overflow.
  • Detect the DCE bind packet signature for the DNS RPC service: look for the byte pattern A4 C2 AB 50 4D 57 B3 40 9D 66 EE 4F D5 FB A0 76 (UUID in little-endian wire format) in TCP streams on dynamic high ports.
  • The SMB-based exploit variant (opnum 0x01 / DnssrvQuery) sends a stub payload of 1663 bytes with shellcode starting at offset 1320; IDS rules should flag DNS RPC stubs over SMB exceeding ~1600 bytes targeting the \DNSSERVER pipe.
  • Fingerprinting step: attackers probe for the Task Scheduler RPC UUID 1ff70682-0a51-30e8-076d-740be8cee98b and 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 over ncacn_ip_tcp to distinguish Windows 2000 vs 2003 SP0 vs 2003 SP1/SP2 targets before exploitation.
  • ·The exploit is capable of bypassing NX/DEP on Windows 2003 SP1/SP2 using ATL.DLL ROP gadgets; DEP/NX alone is not a sufficient mitigation for this vulnerability on those platforms.
  • ·The dynamic RPC port used by the DNS Server service varies per host; blocking port 445 alone does not prevent the TCP-based unauthenticated attack vector. The endpoint mapper (port 135) must also be restricted to prevent port discovery.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.