Vulnerabilities > CVE-2003-0349 - Unspecified vulnerability in Microsoft Windows 2000

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
metasploit
NVD
Published: 2003-07-24
Updated: 2018-10-12

Summary

Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1

Exploit-Db

  • descriptionMicrosoft IIS ISAPI nsiislog.dll ISAPI POST Overflow. CVE-2003-0349. Remote exploit for windows platform
    idEDB-ID:16355
    last seen2016-02-01
    modified2010-07-25
    published2010-07-25
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16355/
    titleMicrosoft IIS ISAPI nsiislog.dll ISAPI POST Overflow
  • descriptionMicrosoft Windows 2000/NT 4 Media Services NSIISlog.DLL Remote Buffer Overflow. CVE-2003-0349. Remote exploit for windows platform
    idEDB-ID:22837
    last seen2016-02-02
    modified2003-06-25
    published2003-06-25
    reporterfirew0rker
    sourcehttps://www.exploit-db.com/download/22837/
    titleMicrosoft Windows 2000/NT 4 Media Services NSIISlog.DLL Remote Buffer Overflow
  • descriptionMS Windows Media Services Remote Exploit (MS03-022). CVE-2003-0349. Remote exploit for windows platform
    idEDB-ID:48
    last seen2016-01-31
    modified2003-07-01
    published2003-07-01
    reporterfirew0rker
    sourcehttps://www.exploit-db.com/download/48/
    titleMicrosoft Windows Media Services - Remote Exploit MS03-022

Metasploit

descriptionThis exploits a buffer overflow found in the nsiislog.dll ISAPI filter that comes with Windows Media Server. This module will also work against the 'patched' MS03-019 version. This vulnerability was addressed by MS03-022.
idMSF:EXPLOIT/WINDOWS/ISAPI/MS03_022_NSIISLOG_POST
last seen2020-05-23
modified2017-07-24
published2010-07-25
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/isapi/ms03_022_nsiislog_post.rb
titleMS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow

Nessus

NASL familyWeb Servers
NASL idNSIISLOG_DLL.NASL
descriptionSome versions of IIS shipped with a default file, nsiislog.dll, within the /scripts directory. Nessus has determined that the remote host has the file installed. The NSIISLOG.dll CGI may allow an attacker to execute arbitrary commands on this host, through a buffer overflow.
last seen2020-06-01
modified2020-06-02
plugin id11664
published2003-05-28
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11664
titleMicrosoft Media Services ISAPI nsiislog.dll Multiple Overflows
code
#
# (C) Tenable Network Security, Inc.
#

# Supercedes MS03-019

include("compat.inc");

if (description)
{
 script_id(11664);
 script_version("1.39");
 script_cvs_date("Date: 2018/11/15 20:50:25");

 script_cve_id("CVE-2003-0227", "CVE-2003-0349");
 script_bugtraq_id(7727, 8035);
 script_xref(name:"MSFT", value:"MS03-022");
 script_xref(name:"MSKB", value:"822343");

 script_name(english:"Microsoft Media Services ISAPI nsiislog.dll Multiple Overflows");
 script_summary(english:"Determines the presence of nsiislog.dll");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"Some versions of IIS shipped with a default file, nsiislog.dll,
within the /scripts directory.  Nessus has determined that the
remote host has the file installed.

The NSIISLOG.dll CGI may allow an attacker to execute
arbitrary commands on this host, through a buffer overflow.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-022");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a patch for Windows 2000.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS03-022 Microsoft IIS ISAPI nsiislog.dll ISAPI POST Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/28");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/05/28");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_DENIAL);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");

 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

b = get_http_banner(port: port, exit_on_fail: 1);
if ("IIS" >!< b ) exit(0);

w  = http_send_recv3(method:"GET", item:"/scripts/nsiislog.dll", port:port, exit_on_fail: 1);
res = strcat(w[0], w[1], '\r\n', w[2]);
if("NetShow ISAPI Log Dll" >< res)
{
  all = make_list("date", "time", "c-dns", "cs-uri-stem", "c-starttime",
  		  "x-duration", "c-rate", "c-status", "c-playerid",
		  "c-playerversion", "c-player-language", "cs(User-Agent)",
		  "cs(Referer)", "c-hostexe");

  poison = NULL;

  foreach litem (all)
  {
   poison += litem + "=Nessus&";
  }

  poison += "c-ip=" + crap(65535);

  w = http_send_recv3(method:"POST", port: port,
    item: "/scripts/nsiislog.dll",
    content_type: "application/x-www-form-urlencoded",
    add_headers: make_array("User-Agent", "NSPlayer/2.0"),
    exit_on_fail: 1, data: poison);
  r = strcat(w[0], w[1], '\r\n', w[2]);

 # 2nd match fails on localized Windows
 if("HTTP/1.1 500 Server Error" >< r && "The remote procedure call failed. " >< r ) security_hole(port);
}

Oval

accepted2004-06-30T12:00:00.000-04:00
classvulnerability
contributors
nameChristine Walzer
organizationThe MITRE Corporation
descriptionBuffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll.
familywindows
idoval:org.mitre.oval:def:938
statusaccepted
submitted2004-05-18T12:00:00.000-04:00
titleIIS5.0 Windows Media Services Large POST Vulnerability
version64

Packetstorm

References