CVE-2007-1748
published 2007-04-13CVE-2007-1748: Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and…
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
79.13%
99.5th percentile
Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 00 D0 16 D0 16 00 00 00 00 01 00 00 00 00 00 01 00 A4 C2 AB 50 4D 57 B3 40 9D 66 EE 4F D5 FB A0 76 05 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 02 00 00 00
bytes↗
05 00 00 83 10 00 00 00 7f 06 00 00 01 00 00 00 57 06 00 00 00 00 01 00 a4 c2 ab 50 4d 57 b3 40 9d 66 ee 4f d5 fb a0 76
- →Detect exploit attempts by monitoring for DCE/RPC bind requests to UUID 50abc2a4-574d-40b3-9d66-ee4fd5fba076 (DNS Server RPC) over ncacn_ip_tcp on dynamic high ports, especially with abnormally long zone name parameters (>1200 bytes) containing backslash-escaped octal sequences. ↗
- →Monitor for DCE/RPC calls to the DNS Server RPC interface (UUID 50abc2a4-574d-40b3-9d66-ee4fd5fba076) via the named pipe \DNSSERVER over SMB (port 445), which requires valid credentials — flag authenticated RPC calls with oversized zone name parameters. ↗
- →Alert on outbound connections from DNS server processes (dns.exe) to port 4444, which is the default backdoor/bind-shell port used by all known public exploits for this CVE. ↗
- →Use the EPM (endpoint mapper, port 135) to detect pre-exploit reconnaissance: attackers query the endpoint mapper for UUID 50ABC2A4-574D-40B3-9D66-EE4FD5FBA076 to discover the dynamic DNS RPC TCP port before launching the overflow. ↗
- →Detect the DCE bind packet signature for the DNS RPC service: look for the byte pattern A4 C2 AB 50 4D 57 B3 40 9D 66 EE 4F D5 FB A0 76 (UUID in little-endian wire format) in TCP streams on dynamic high ports. ↗
- →The SMB-based exploit variant (opnum 0x01 / DnssrvQuery) sends a stub payload of 1663 bytes with shellcode starting at offset 1320; IDS rules should flag DNS RPC stubs over SMB exceeding ~1600 bytes targeting the \DNSSERVER pipe. ↗
- →Fingerprinting step: attackers probe for the Task Scheduler RPC UUID 1ff70682-0a51-30e8-076d-740be8cee98b and 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 over ncacn_ip_tcp to distinguish Windows 2000 vs 2003 SP0 vs 2003 SP1/SP2 targets before exploitation. ↗
- ·The exploit is capable of bypassing NX/DEP on Windows 2003 SP1/SP2 using ATL.DLL ROP gadgets; DEP/NX alone is not a sufficient mitigation for this vulnerability on those platforms. ↗
- ·The dynamic RPC port used by the DNS Server service varies per host; blocking port 445 alone does not prevent the TCP-based unauthenticated attack vector. The endpoint mapper (port 135) must also be restricted to prevent port discovery. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vwph-hfgx-rhgf: Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP
ghsa_unreviewed·2022-05-01
CVE-2007-1748 [HIGH] CWE-119 GHSA-vwph-hfgx-rhgf: Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP
Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences.
VulnCheck
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 10.0
CVE-2007-1748 [CRITICAL] Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029
No detection rules found.
Exploit-DB
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit)
exploitdb·2010-09-28
CVE-2007-1748 Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit)
Microsoft DNS RPC Service - 'extractQuotedChar()' Remote Overflow 'SMB' (MS07-029) (Metasploit)
---
##
# $Id: ms07_029_msdns_zonename.rb 10503 2010-09-28 15:23:14Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)',
'Description' => %q{
This module exploits a stack buffer overflow in the RPC interface
of the Microsoft DNS service. The vulnerability is triggered
when a long zone name parameter is supplied that contains
escaped octal strings. This module is capable of bypassing
Exploit-DB
Microsoft DNS RPC Service - 'extractQuotedChar()' TCP Overflow (MS07-029) (Metasploit)
exploitdb·2010-07-25
CVE-2007-1748 Microsoft DNS RPC Service - 'extractQuotedChar()' TCP Overflow (MS07-029) (Metasploit)
Microsoft DNS RPC Service - 'extractQuotedChar()' TCP Overflow (MS07-029) (Metasploit)
---
##
# $Id: ms07_029_msdns_zonename.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)',
'Description' => %q{
This module exploits a stack buffer overflow in the RPC interface
of the Microsoft DNS service. The vulnerability is triggered
when a long zone name parameter is supplied that contains
escaped octal strings. This module is capable of bypassing NX/DEP
p
Exploit-DB
Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
exploitdb·2007-04-18
CVE-2007-1748 Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
Microsoft Windows - DNS RPC Remote Buffer Overflow (2)
---
Exploit v2 features:
- Target Remote port 445 (by default but requires auth)
- Manual target for dynamic tcp port (without auth)
- Automatic search for dynamic dns rpc port
- Local and remote OS fingerprinting (auto target)
- Windows 2000 server and Windows 2003 server (Spanish) supported by default
- Fixed bug with Windows 2003 Shellcode
- Universal local exploit for Win2k (automatic search for opcodes)
- Universal local and remote exploit for Win2k3 (/GS bypassed only with DEP disabled)
- Added targets for remote win2k English and italian (not tested, found with metasploit opcode database. please report your owns)
- Microsoft RPC api used ( who cares? :p )
D:\Programación\DNSTEST>dnstest
Microsoft Dns Server local & remote
Exploit-DB
Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow
exploitdb·2007-04-15·CVSS 10.0
CVE-2007-1748 [CRITICAL] Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow
Microsoft Windows - DNS DnssrvQuery Remote Stack Overflow
---
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows DNS DnssrvQuery() Stack Overflow
* [CVE-2007-1748]
*
*
* Description:
* A vulnerability has been reported in Microsoft Windows, which can
* be exploited by malicious people to compromise a vulnerable system.
* The vulnerability is caused due to a boundary error in an RPC interface
* of the DNS service used for remote management of the service. This can
* be exploited to cause a stack-based buffer overflow via a specially
* crafted RPC request. The DnssrvQuery function is vulnerable to this stack
* overflow.
*
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Advanced Server
* Microsoft Windows 2000 Datacenter Server
*
Exploit-DB
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
exploitdb·2007-04-15
CVE-2007-1748 Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
Microsoft Windows Server 2000 SP4 - DNS RPC Remote Buffer Overflow
---
#!/usr/bin/python
# Remote exploit for the 0day Windows DNS RPC service vulnerability as
# described in https://www.securityfocus.com/bid/23470/info. Tested on
# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444
# and then connects to it.
#
# Cheers to metasploit for the first exploit.
# Written for educational and testing purposes.
# Author shall bear no responsibility for any damage caused by using this code
# Winny Thomas :-)
import os
import sys
import time
from impacket.dcerpc import transport, dcerpc, epm
from impacket import uuid
#Portbind shellcode from metasploit; Binds port to TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode +=
Metasploit
MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
metasploit
MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2.
Metasploit
MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
metasploit
MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
MS07-029 Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
This module exploits a stack buffer overflow in the RPC interface of the Microsoft DNS service. The vulnerability is triggered when a long zone name parameter is supplied that contains escaped octal strings. This module is capable of bypassing NX/DEP protection on Windows 2003 SP1/SP2. This module exploits the RPC service using the \DNSSERVER pipe available via SMB. This pipe requires a valid user account to access, so the SMBUSER and SMBPASS options must be specified.
No writeups or analysis indexed.
http://blogs.technet.com/msrc/archive/2007/04/12/microsoft-security-advisory-935964-posted.aspxhttp://metasploit.com/svn/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rbhttp://secunia.com/advisories/24871http://www.kb.cert.org/vuls/id/555920http://www.microsoft.com/technet/security/advisory/935964.mspxhttp://www.securityfocus.com/archive/1/465863/100/100/threadedhttp://www.securityfocus.com/archive/1/468871/100/200/threadedhttp://www.securityfocus.com/bid/23470http://www.securitytracker.com/id?1017910http://www.us-cert.gov/cas/techalerts/TA07-103A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-128A.htmlhttp://www.vupen.com/english/advisories/2007/1366https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029https://exchange.xforce.ibmcloud.com/vulnerabilities/33629https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1228http://blogs.technet.com/msrc/archive/2007/04/12/microsoft-security-advisory-935964-posted.aspxhttp://metasploit.com/svn/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rbhttp://secunia.com/advisories/24871http://www.kb.cert.org/vuls/id/555920http://www.microsoft.com/technet/security/advisory/935964.mspxhttp://www.securityfocus.com/archive/1/465863/100/100/threadedhttp://www.securityfocus.com/archive/1/468871/100/200/threadedhttp://www.securityfocus.com/bid/23470http://www.securitytracker.com/id?1017910http://www.us-cert.gov/cas/techalerts/TA07-103A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-128A.htmlhttp://www.vupen.com/english/advisories/2007/1366https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-029https://exchange.xforce.ibmcloud.com/vulnerabilities/33629https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1228
2007-04-13
Published
Exploited in the wild