Vulnerabilities > CVE-2003-0003 - Buffer Overflow vulnerability in Microsoft Windows Locator Service

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
NVD
Published: 2003-02-07
Updated: 2019-04-30

Summary

Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1
OS
Microsoft
44

Exploit-Db

  • descriptionMicrosoft Windows XP/2000/NT 4 Locator Service Buffer Overflow Vulnerability. CVE-2003-0003. Remote exploit for windows platform
    idEDB-ID:22194
    last seen2016-02-02
    modified2003-01-22
    published2003-01-22
    reporterDavid Litchfield
    sourcehttps://www.exploit-db.com/download/22194/
    titleMicrosoft Windows XP/2000/NT 4 Locator Service Buffer Overflow Vulnerability
  • descriptionMS Windows RPC Locator Service Remote Exploit. CVE-2003-0003. Remote exploit for windows platform
    idEDB-ID:5
    last seen2016-01-31
    modified2003-04-03
    published2003-04-03
    reporterMarcin Wolak
    sourcehttps://www.exploit-db.com/download/5/
    titleMicrosoft Windows RPC Locator Service - Remote Exploit

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS03-001.NASL
descriptionThe Microsoft Locate service is a name server that maps logical names to network-specific names. There is a security vulnerability in this server that allows an attacker to execute arbitrary code in it by sending a specially crafted packet to it.
last seen2020-06-01
modified2020-06-02
plugin id11212
published2003-01-23
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11212
titleMS03-001: Unchecked buffer in Locate Service (810833)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11212);
 script_version("1.46");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2003-0003");
 script_bugtraq_id(6666);
 script_xref(name:"MSFT", value:"MS03-001");
 script_xref(name:"CERT", value:"610986");
 script_xref(name:"MSKB", value:"810833");

 script_name(english:"MS03-001: Unchecked buffer in Locate Service (810833)");
 script_summary(english:"Checks for MS Hotfix 810833");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The Microsoft Locate service is a name server that maps logical names
to network-specific names.

There is a security vulnerability in this server that allows an
attacker to execute arbitrary code in it by sending a specially
crafted packet to it.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-001");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows NT, 2000 and XP.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/01/30");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/01/22");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/01/23");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "smb_enum_services.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS03-001';
kb = "810833";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'2,3', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Locator.exe", version:"5.1.2600.1147",                                dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"Locator.exe", version:"5.1.2600.108",                                 dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0",       file:"Locator.exe", version:"5.0.2195.6136",                                dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0",       file:"Locator.exe", version:"4.0.1381.7202",                                dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0",       file:"Locator.exe", version:"4.0.1381.33534", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2016-02-08T10:00:00.000-05:00
classvulnerability
contributors
  • nameTiffany Bergeron
    organizationThe MITRE Corporation
  • nameJonathan Baker
    organizationThe MITRE Corporation
definition_extensions
commentMicrosoft Windows NT is installed
ovaloval:org.mitre.oval:def:36
descriptionBuffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information.
familywindows
idoval:org.mitre.oval:def:103
statusaccepted
submitted2003-08-27T12:00:00.000-04:00
titleWindows RPC Locator Service Buffer Overflow
version70

References