Vulnerabilities > CVE-2003-0352 - Buffer Overrun vulnerability in Microsoft Windows DCOM RPC Interface
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 48 |
Exploit-Db
description Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. CVE-2003-0352. Remote exploit for windows platform id EDB-ID:22917 last seen 2016-02-02 modified 2003-08-11 published 2003-08-11 reporter [email protected] source https://www.exploit-db.com/download/22917/ title Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability description MS Windows (RPC DCOM) Long Filename Overflow Exploit (MS03-026). CVE-2003-0352. Remote exploit for windows platform id EDB-ID:100 last seen 2016-01-31 modified 2003-09-16 published 2003-09-16 reporter ey4s source https://www.exploit-db.com/download/100/ title Microsoft Windows - RPC DCOM Long Filename Overflow Exploit MS03-026 description Microsoft RPC DCOM Interface Overflow. CVE-2003-0352. Remote exploit for windows platform id EDB-ID:16749 last seen 2016-02-02 modified 2011-01-11 published 2011-01-11 reporter metasploit source https://www.exploit-db.com/download/16749/ title Microsoft RPC DCOM Interface Overflow
Metasploit
| description | This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :) |
| id | MSF:EXPLOIT/WINDOWS/DCERPC/MS03_026_DCOM |
| last seen | 2020-05-23 |
| modified | 2019-08-15 |
| published | 2006-07-31 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0352 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/dcerpc/ms03_026_dcom.rb |
| title | MS03-026 Microsoft RPC DCOM Interface Overflow |
Nessus
NASL family Windows NASL id MSRPC_DCOM.NASL description The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild. last seen 2020-06-01 modified 2020-06-02 plugin id 11808 published 2003-07-28 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11808 title MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11808); script_version("1.45"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2003-0352"); script_bugtraq_id(8205); script_xref(name:"MSFT", value:"MS03-026"); script_xref(name:"MSKB", value:"823980"); script_name(english:"MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)"); script_summary(english:"[LSD] Critical security vulnerability in Microsoft Operating Systems"); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-026"); script_set_attribute(attribute:"solution", value:"Microsoft has released patches for Windows NT, 2000, XP, and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS03-026 Microsoft RPC DCOM Interface Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2003/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/07/28"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl", "msrpc_dcom2.nasl"); script_require_ports(139, 445); exit(0); } # include ('smb_func.inc'); if(get_kb_item("SMB/KB824146"))exit(0); if(!get_kb_item("SMB/KB824146_launched"))exit(0); function RemoteActivation () { local_var fid, data, rep, ret; fid = bind_pipe (pipe:"\epmapper", uuid:"4d9f4ab8-7d1c-11cf-861e-0020af6e7c57", vers:0); if (isnull (fid)) return 0; data = # DCOM information raw_word (w:5) + raw_word (w:6) + raw_dword (d:1) + raw_dword (d:0) + encode_uuid (uuid:"54454e41-424c-454e-4554-574f524b5345") + raw_dword (d:0) + # CLSID encode_uuid (uuid:"53454e5b-5553-5d53-5b4e-45535355535d") + # ObjectName class_parameter (ref_id:0x20004, name:"\\A"+raw_string(0)+"A\\AA") + # NULL pointer raw_dword (d:0) + # ClientImpLevel raw_dword (d:0) + # Modes raw_dword (d:0) + # interfaces (only 1) raw_dword (d:1) + raw_dword (d:0x20008) + raw_dword (d:1) + encode_uuid (uuid:"00000000-0000-0000-0000-000000000000") + # rest of data raw_dword (d:0) + raw_dword (d:0); data = dce_rpc_pipe_request (fid:fid, code:0x00, data:data); if (!data) return 0; rep = dce_rpc_parse_response (fid:fid, data:data); if (!rep || (strlen(rep) != 68)) return 0; ret = get_dword (blob:rep, pos:strlen(rep)-24); if ((ret == 0x80080004) || (ret == 0x80070005)) return 0; return 1; } os = get_kb_item ("Host/OS/smb") ; if (("Windows 5.1" >!< os) && ("Windows 5.0" >!< os) && ("Windows 5.2" >!< os) && ("Windows 4.0" >< os)) exit(0); port = get_kb_item("SMB/transport"); if(!port)port = 445; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp(port); if ( ! soc ) exit(0); name = kb_smb_name(); session_init(socket:soc, hostname:name); r = NetUseAdd(share:"IPC$"); if ( r == 1 ) { ret = RemoteActivation(); if (ret == 1) security_hole(port:port); NetUseDel(); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS03-026.NASL description The remote host is running a version of Windows affected by several vulnerabilities in its RPC interface and RPCSS Service, that could allow an attacker to execute arbitrary code and gain SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 11790 published 2003-07-17 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11790 title MS03-026 / MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution (823980 / 824146)
Oval
accepted 2008-03-24T04:00:20.434-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. family windows id oval:org.mitre.oval:def:194 status accepted submitted 2004-11-02T12:00:00.000-04:00 title Windows NT RPCSS DCOM Buffer Overflow (Blaster, Test 2) version 73 accepted 2011-05-16T04:02:28.554-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. family windows id oval:org.mitre.oval:def:2343 status accepted submitted 2005-04-28T12:00:00.000-04:00 title Windows XP RPCSS DCOM Buffer Overflow (Blaster, Test 2) version 69 accepted 2011-05-16T04:02:40.510-04:00 class vulnerability contributors name Tiffany Bergeron organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. family windows id oval:org.mitre.oval:def:296 status accepted submitted 2003-12-03T12:00:00.000-04:00 title Windows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 2) version 70
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83012/ms03_026_dcom.rb.txt |
| id | PACKETSTORM:83012 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/83012/Microsoft-RPC-DCOM-Interface-Overflow.html |
| title | Microsoft RPC DCOM Interface Overflow |
Saint
| bid | 8205 |
| description | Windows RPC DCOM interface buffer overflow |
| id | win_patch_rpc |
| osvdb | 2100 |
| title | windows_rpc_dcom |
| type | remote |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007079.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007357.html
- http://marc.info/?l=bugtraq&m=105838687731618&w=2
- http://marc.info/?l=bugtraq&m=105914789527294&w=2
- http://www.cert.org/advisories/CA-2003-16.html
- http://www.cert.org/advisories/CA-2003-19.html
- http://www.kb.cert.org/vuls/id/568148
- http://www.securityfocus.com/bid/8205
- http://www.xfocus.org/documents/200307/2.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-026
- https://exchange.xforce.ibmcloud.com/vulnerabilities/12629
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A194
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2343
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A296