Vulnerabilities > CVE-2003-0533 - Buffer Overrun vulnerability in Microsoft Windows LSASS
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 7 |
Exploit-Db
description Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow. CVE-2003-0533. Remote exploit for windows platform id EDB-ID:16368 last seen 2016-02-01 modified 2010-07-03 published 2010-07-03 reporter metasploit source https://www.exploit-db.com/download/16368/ title Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow description MS Windows XP/2K Lsasrv.dll Remote Universal Exploit (MS04-011). CVE-2003-0533. Remote exploit for windows platform id EDB-ID:295 last seen 2016-01-31 modified 2004-04-29 published 2004-04-29 reporter houseofdabus source https://www.exploit-db.com/download/295/ title Microsoft Windows 2000/XP - Lsasrv.dll Remote Universal Exploit MS04-011 description MS Windows Lsasrv.dll RPC Remote Buffer Overflow Exploit (MS04-011). CVE-2003-0533. Remote exploit for windows platform id EDB-ID:293 last seen 2016-01-31 modified 2004-04-24 published 2004-04-24 reporter sbaa source https://www.exploit-db.com/download/293/ title Microsoft Windows - Lsasrv.dll RPC Remote Buffer Overflow Exploit MS04-011
Metasploit
| description | This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter. |
| id | MSF:EXPLOIT/WINDOWS/SMB/MS04_011_LSASS |
| last seen | 2020-03-11 |
| modified | 2017-07-24 |
| published | 2006-06-19 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0533 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms04_011_lsass.rb |
| title | MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-011.NASL description The remote host is missing a critical Microsoft Windows Security Update (835732). This update fixes various flaws that could allow an attacker to execute arbitrary code on the remote host. A series of worms (Sasser) are known to exploit this vulnerability in the wild. last seen 2020-06-01 modified 2020-06-02 plugin id 12205 published 2004-04-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12205 title MS04-011: Microsoft Hotfix (credentialed check) (835732) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12205); script_version("1.52"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2003-0533", "CVE-2003-0663", "CVE-2003-0719", "CVE-2003-0806", "CVE-2003-0906", "CVE-2003-0907", "CVE-2003-0908", "CVE-2003-0909", "CVE-2003-0910", "CVE-2004-0117", "CVE-2004-0118", "CVE-2004-0119", "CVE-2004-0121" ); script_bugtraq_id(10111, 10113, 10117, 10119, 10122, 10124, 10125); script_xref(name:"CERT", value:"305206"); script_xref(name:"CERT", value:"753212"); script_xref(name:"CERT", value:"639428"); script_xref(name:"CERT", value:"471260"); script_xref(name:"CERT", value:"547028"); script_xref(name:"CERT", value:"260588"); script_xref(name:"CERT", value:"526084"); script_xref(name:"CERT", value:"206468"); script_xref(name:"CERT", value:"353956"); script_xref(name:"CERT", value:"122076"); script_xref(name:"CERT", value:"783748"); script_xref(name:"CERT", value:"638548"); script_xref(name:"MSFT", value:"MS04-011"); script_xref(name:"MSKB", value:"835732"); script_name(english:"MS04-011: Microsoft Hotfix (credentialed check) (835732)"); script_summary(english:"Checks for ms04-011"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host is missing a critical Microsoft Windows Security Update (835732). This update fixes various flaws that could allow an attacker to execute arbitrary code on the remote host. A series of worms (Sasser) are known to exploit this vulnerability in the wild."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS04-011 Microsoft Private Communications Transport Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/09"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-011'; kb = '835732'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Lsasrv.dll", version:"5.2.3790.134", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Lsasrv.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Lsasrv.dll", version:"5.1.2600.134", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Lsasrv.dll", version:"5.0.2195.6902", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Winsrv.dll", version:"4.0.1381.7260", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_KB835732.NASL description The remote version of Windows contains a flaw in the function last seen 2020-06-01 modified 2020-06-02 plugin id 12209 published 2004-04-15 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12209 title MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12209); script_version("1.56"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2003-0533"); script_bugtraq_id(10108); script_xref(name:"MSFT", value:"MS04-011"); script_xref(name:"MSKB", value:"835732"); script_name(english:"MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)"); script_summary(english:"Checks for Microsoft Hotfix KB835732 by talking to the remote SMB service."); script_set_attribute(attribute:"synopsis", value: "Arbitrary code can be executed on the remote host due to a flaw in the LSASS service."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that allows an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); # Added OS fingerprinting due to FP against some non-Windows targets script_dependencies("smb_nativelanman.nasl", "smb_reg_service_pack.nasl", "samba_detect.nasl", "os_fingerprint.nasl"); script_exclude_keys("SMB/not_windows"); script_require_ports(139, 445); exit(0); } include("misc_func.inc"); include("audit.inc"); include("smb_func.inc"); # Check OS due to FP against some non-Windows targets: # - Solaris SMB/CIFS service # - Linux-based HP Backup Storeonce 2700 # # Nessus should be able to identify OS for targets with SMB server # running, as information in an SMB SessionSetupAndX response is used # as one source for OS identification. # # Make sure OS is detected. If OS is not detected, SMB is unlikely # to be running, so skipping the check. os = get_kb_item_or_exit("Host/OS"); # Skip non-Windows targets if ("windows" >!< tolower(os)) audit(AUDIT_OS_NOT, "Windows"); function gssapi() { return raw_string(0x60, 0x58,0x06,0xFF,0x06,0xFF,0x06,0x0F,0x05,0x0F,0x02,0xFF,0x06,0xFF,0xFF,0xFF,0xFF, 0x06,0x00,0x06,0x00,0x2A,0x00,0x00,0x00,0x0A,0x00,0x0A,0x00,0x20,0x00,0x00,0x00, 0x42,0x4C,0x49,0x4E,0x47,0x42,0x4C,0x49,0x4E,0x47,0x4D,0x53,0x48,0x4F,0x4D,0x45, 0x2A,0xFF,0x7F,0x74,0x6F,0xFF,0x0A,0x0B,0x9E,0xFF,0xE6,0x56,0x73,0x37,0x57,0x37, 0x0A,0x0B,0x0C); } name = kb_smb_name(); domain = kb_smb_domain(); port = int(get_kb_item("SMB/transport")); if ( ! port ) { port = 445; soc = 0; if ( get_port_state(port) ) { soc = open_sock_tcp(port); } if ( ! soc ) { port = 139; if ( ! get_port_state(port) ) audit(AUDIT_PORT_CLOSED, port); } } if ( ! soc ) soc = open_sock_tcp(port); if ( ! soc ) audit(AUDIT_SOCK_FAIL, port); session_init (socket:soc, hostname:name); if ( port == 139 ) { if (netbios_session_request () != TRUE) exit (0); } ret = smb_negotiate_protocol (); if (!ret) exit (0); # Some checks in the header first header = get_smb_header (smbblob:ret); if (!ret) exit (0); if (smb_check_success (data:ret) == FALSE) exit (0); code = get_header_command_code (header:header); if (code != SMB_COM_NEGOTIATE) exit (0); # We now parse/take information in SMB parameters parameters = get_smb_parameters (smbblob:ret); if (!parameters) exit (0); DialectIndex = get_word (blob:parameters, pos:0); if (DialectIndex > (supported_protocol-1)) exit (0); if (protocol[DialectIndex] != "NT LM 0.12") exit (0); SessionKey = get_dword (blob:parameters, pos:15); Capabilities = get_dword (blob:parameters, pos:19); if (Capabilities & CAP_UNICODE) session_set_unicode (unicode:1); else session_set_unicode (unicode:0); if (Capabilities & CAP_EXTENDED_SECURITY) session_add_flags2 (flag:SMB_FLAGS2_EXTENDED_SECURITY); else exit (0); header = smb_header (Command: SMB_COM_SESSION_SETUP_ANDX, Status: nt_status (Status: STATUS_SUCCESS)); securityblob = gssapi(); parameters = raw_byte (b:255) + # no further command raw_byte (b:0) + raw_word (w:0) + raw_word (w:session_get_buffersize()) + raw_word (w:1) + raw_word (w:0) + raw_dword (d:SessionKey) + raw_word (w:strlen(securityblob)) + raw_dword (d:0) + raw_dword (d: CAP_UNICODE * session_is_unicode() | CAP_LARGE_FILES | CAP_NT_SMBS | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS | CAP_NT_FIND | CAP_EXTENDED_SECURITY); parameters = smb_parameters (data:parameters); # If strlen (securityblob) odd add 1 pad byte if ((strlen (securityblob) % 2) == 0) securityblob += raw_string(0x00); data = securityblob + cstring (string:"Unix") + cstring (string:"Nessus") + cstring (string:domain); data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data); ret = smb_sendrecv (data:packet); if (!ret) audit(AUDIT_HOST_NOT, "affected"); # Some checks in the header first header = get_smb_header (smbblob:ret); if (!ret) audit(AUDIT_HOST_NOT, "affected"); # STATUS_INVALID_PARAMETER -> patched # STATUS_MORE_PROCESSING_REQUIRED -> vulnerable code = get_header_nt_error_code(header:header); if ( code == STATUS_MORE_PROCESSING_REQUIRED) security_hole(port); else audit(AUDIT_HOST_NOT, "affected");
Oval
accepted 2004-05-25T12:00:00.000-04:00 class vulnerability contributors name Tiffany Bergeron organization The MITRE Corporation description Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. family windows id oval:org.mitre.oval:def:883 status accepted submitted 2004-04-13T12:00:00.000-04:00 title Windows 2000 LSASS Buffer Overflow (Sasser Worm Vulnerability) version 64 accepted 2015-08-10T04:01:11.631-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows XP (32-bit) is installed oval oval:org.mitre.oval:def:1353 comment Microsoft Windows XP SP1 (32-bit) is installed oval oval:org.mitre.oval:def:1
description Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. family windows id oval:org.mitre.oval:def:898 status accepted submitted 2004-04-13T12:00:00.000-04:00 title Windows XP LSASS Buffer Overflow (Sasser Worm Vulnerability) version 77 accepted 2015-08-10T04:01:12.047-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows Server 2003 is installed oval oval:org.mitre.oval:def:128 description Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. family windows id oval:org.mitre.oval:def:919 status accepted submitted 2004-04-13T12:00:00.000-04:00 title Windows Server 2003 LSASS Buffer Overflow (Sasser Worm Vulnerability version 71
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83189/ms04_011_lsass.rb.txt |
| id | PACKETSTORM:83189 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | H D Moore |
| source | https://packetstormsecurity.com/files/83189/Microsoft-LSASS-Service-DsRolerUpgradeDownlevelServer-Overflow.html |
| title | Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow |
Saint
| bid | 10108 |
| description | Windows LSASS buffer overflow |
| id | win_patch_ms04011 |
| osvdb | 5248 |
| title | windows_lsass |
| type | remote |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/020069.html
- http://marc.info/?l=bugtraq&m=108325860431471&w=2
- http://www.ciac.org/ciac/bulletins/o-114.shtml
- http://www.eeye.com/html/Research/Advisories/AD20040413C.html
- http://www.kb.cert.org/vuls/id/753212
- http://www.securityfocus.com/bid/10108
- http://www.us-cert.gov/cas/techalerts/TA04-104A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15699
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A883
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A898
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A919