cbcvebase.
CVE-2008-4114
published 2008-09-16

CVE-2008-4114: srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote…

PriorityP347high7.1CVSS 2.0
AVNACMAuNCNINAC
EXPLOIT
EPSS
49.28%
98.7th percentile
srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftwindows_vista
microsoftwindows_vista

Detection & IOCsextracted from sources · hover to see the quote

path\PIPE\lsarpc
filenamesrv.sys
  • Monitor for SMB NT_CREATE_ANDX requests targeting the named pipe \PIPE\lsarpc immediately followed by a malformed WRITE_ANDX packet — this is the exact exploit sequence demonstrated in the PoC.
  • Flag SMB packets containing the SMB signature bytes 0xcccccccc / 0xcccccccc (Signature1/Signature2) in the WRITE_ANDX request header — this is a PoC-specific artifact set in the exploit.
  • Look for SMB WRITE_ANDX packets with AndXOffset set to 0xdede — this non-standard chained-command offset value is used in the exploit's crafted packets.
  • Alert on crashes or unexpected unloads of the SRV.SYS kernel driver following inbound SMB traffic on port 445/139, as exploitation results in a system crash (BSOD).
  • ·The Metasploit PoC hardcodes SMB credentials (SMBUser/SMBPass = 'testuser') and domain/host ('COBAYA') — these are test-environment values and will not match real-world attacker configurations; do not rely on credential-matching for detection.
  • ·The Metasploit auxiliary module (ms09_001_write.rb) was tested successfully only against Windows Vista; behaviour and detectability may differ on other affected OS versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.