Vulnerabilities > CVE-2003-0605 - Unspecified vulnerability in Microsoft Windows 2000
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 5 |
Exploit-Db
description MS Windows (RPC2) Universal Exploit & DoS (RPC3) (MS03-039). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:109 last seen 2016-01-31 modified 2003-10-09 published 2003-10-09 reporter N/A source https://www.exploit-db.com/download/109/ title Microsoft Windows - RPC2 Universal Exploit & DoS RPC3 MS03-039 description MS Windows 2000 RPC DCOM Interface DoS Exploit. CVE-2003-0605. Dos exploit for windows platform id EDB-ID:61 last seen 2016-01-31 modified 2003-07-21 published 2003-07-21 reporter Flashsky source https://www.exploit-db.com/download/61/ title Microsoft Windows 2000 - RPC DCOM Interface DoS Exploit description MS Windows RPC DCOM Remote Exploit (18 Targets). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:69 last seen 2016-01-31 modified 2003-07-29 published 2003-07-29 reporter pHrail source https://www.exploit-db.com/download/69/ title Microsoft Windows RPC DCOM Remote Exploit 18 Targets description MS Windows XP/2000 RPC Remote (non exec memory) Exploit. CVE-2003-0605. Remote exploit for windows platform id EDB-ID:117 last seen 2016-01-31 modified 2003-11-07 published 2003-11-07 reporter ins1der source https://www.exploit-db.com/download/117/ title Microsoft Windows 2000/XP - RPC Remote non exec memory Exploit description MS Windows (RPC DCOM) Remote Exploit (w2k+XP Targets). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:66 last seen 2016-01-31 modified 2003-07-26 published 2003-07-26 reporter H D Moore source https://www.exploit-db.com/download/66/ title Microsoft Windows 2000/XP - RPC DCOM Remote Exploit description MS Windows (RPC DCOM2) Remote Exploit (MS03-039). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:103 last seen 2016-01-31 modified 2003-09-20 published 2003-09-20 reporter Flashsky source https://www.exploit-db.com/download/103/ title Microsoft Windows - RPC DCOM2 Remote Exploit MS03-039 description MS Windows (RPC DCOM) Remote Buffer Overflow Exploit. CVE-2003-0605. Remote exploit for windows platform id EDB-ID:64 last seen 2016-01-31 modified 2003-07-25 published 2003-07-25 reporter Flashsky source https://www.exploit-db.com/download/64/ title Microsoft Windows - RPC DCOM Remote Buffer Overflow Exploit description MS Windows (RPC DCOM) Remote Exploit (48 Targets). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:70 last seen 2016-01-31 modified 2003-07-30 published 2003-07-30 reporter N/A source https://www.exploit-db.com/download/70/ title Microsoft Windows - RPC DCOM Remote Exploit 48 Targets description MS Windows (RPC DCOM) Remote Exploit (Universal Targets). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:76 last seen 2016-01-31 modified 2003-08-07 published 2003-08-07 reporter oc192 source https://www.exploit-db.com/download/76/ title Microsoft Windows - RPC DCOM Remote Exploit Universal Targets description MS Windows (RPC DCOM) Scanner (MS03-039). CVE-2003-0605. Remote exploit for windows platform id EDB-ID:97 last seen 2016-01-31 modified 2003-09-12 published 2003-09-12 reporter Doke Scott source https://www.exploit-db.com/download/97/ title Microsoft Windows - RPC DCOM Scanner MS03-039
Nessus
NASL family Windows NASL id DCOM_RPC_DOS.NASL description It is possible to disable the remote RPC DOM interface by sending it a malformed request. The system will need to be rebooted to recover. A remote attacker could exploit this flaw to remotely disable RPC- related programs on this host. If a denial of service attack is successful, a local attacker could escalate privileges by hijacking the epmapper pipe. last seen 2020-06-01 modified 2020-06-02 plugin id 11798 published 2003-07-22 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11798 title MS03-039: Microsoft Windows RPC DCOM Interface epmapper Pipe Hijack Local Privilege Escalation (824146) (intrusive check) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS03-026.NASL description The remote host is running a version of Windows affected by several vulnerabilities in its RPC interface and RPCSS Service, that could allow an attacker to execute arbitrary code and gain SYSTEM privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 11790 published 2003-07-17 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11790 title MS03-026 / MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution (823980 / 824146) NASL family Windows NASL id MSRPC_DCOM2.NASL description The remote host is running a version of Windows that has a flaw in its RPC interface, which may allow an attacker to execute arbitrary code and gain SYSTEM privileges. An attacker or a worm could use it to gain the control of this host. Note that this is NOT the same bug as the one described in MS03-026, which fixes the flaw exploited by the last seen 2020-06-01 modified 2020-06-02 plugin id 11835 published 2003-09-10 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11835 title MS03-039: Microsoft RPC Interface Buffer Overrun (824146) (uncredentialed check)
Oval
accepted 2011-05-16T04:00:20.426-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. family windows id oval:org.mitre.oval:def:1118 status accepted submitted 2005-01-18T12:00:00.000-04:00 title MS Windows RPC DCOM DoS-based Privilege Escalation Vulnerability (Test 2) version 71 accepted 2011-05-16T04:03:07.115-04:00 class vulnerability contributors name Tiffany Bergeron organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. family windows id oval:org.mitre.oval:def:494 status accepted submitted 2003-12-03T12:00:00.000-04:00 title MS Windows RPC DCOM DoS-based Privilege Escalation Vulnerability version 70
Seebug
| bulletinFamily | exploit |
| description | <p><strong>漏洞描述:</strong></p><p>Remote Procedure Call (RPC)是Windows操作系统使用的一种远程过程调用协议,RPC提供进程间交互通信机制,允许在某台计算机上运行程序无缝的在远程系统上执行代码。协议本身源自OSF RPC协议,但增加了Microsoft特定的扩展。MS RPC在处理畸形消息时存在问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击,在RPC服务崩溃后,可用来权限提升攻击。 攻击者发送畸形消息给DCOM __RemoteGetClassObject接口,RPC服务就会崩溃,所有依靠RPC服务的应用程序和服务就会变的不正常。 如果攻击者拥有合法帐户,在RPC服务崩溃后他还可以劫持管道和135端口进行权限提升攻击。</p><p><strong>漏洞影响:</strong></p><p>受影响的系统: </p><p> •Microsoft Windows NT Workstation 4.0 </p><p>•Microsoft Windows NT Server® 4.0 </p><p>•Microsoft Windows NT Server 4.0, Terminal Server Edition </p><p>•Microsoft Windows 2000 •Microsoft Windows XP </p><p>•Microsoft Windows Server 2003 </p><p>不受影响的系统: </p><p>•Microsoft Windows Millennium Edition </p><p><strong>CVE-ID: CVE-2003-0605 </strong></p><p><strong>CNNVD-ID:CNNVD-200308-204</strong></p><p><strong>CNVD-ID:CNVD-2003-2258 </strong></p><p><strong>解决方案:</strong></p><p>Microsoft -</p><p>-------- </p><p>Microsoft已经为此发布了一个安全公告(MS03-039)以及相应补丁:</p><p>MS03-039:Buffer Overrun In RPCSS Service Could Allow Code Execution(824146)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS03-039.asp">http://www.microsoft.com/technet/security/bulletin/MS03-039.asp</a></p><p>补丁下载:Windows NT Workstation 4.0: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=zh-cn">http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=zh-cn</a> </p><p>Windows NT Server 4.0:<a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=zh-cn">http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=zh-cn</a> </p><p>Windows NT Server 4.0, Terminal Server Edition: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F">http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F</a> </p><p>Windows 2000: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=zh-cn">http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=zh-cn</a> </p><p>Windows XP: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=zh-cn">http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=zh-cn</a> </p><p>Windows XP 64 bit Edition: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65">http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65</a> </p><p>Windows XP 64 bit Edition Version 2003: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B">http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B</a> </p><p>Windows Server 2003: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=zh-cn">http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=zh-cn</a> </p><p>Windows Server 2003 64 bit Edition: <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B">http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B</a></p><p>对于Windows 2000用户,我们建议您安装完Windows 2000 SP4之后再安装上述补丁:<a href="http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/download.asp" rel="nofollow">http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/download.asp</a></p><p> </p><p>对于Windows NT 4.0用户,我们建议您安装完SP6a之后再安装上述补丁:<a href="http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6.asp" rel="nofollow">http://www.microsoft.com/NTServer/nts/downloads/recommended/SP6/allsp6.asp</a></p> |
| id | SSV:13808 |
| last seen | 2017-11-19 |
| modified | 2003-10-09 |
| published | 2003-10-09 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-13808 |
| title | MS Windows (RPC2) Universal Exploit & DoS (RPC3) (MS03-039) |
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/006851.html
- http://marc.info/?l=bugtraq&m=105880332428706&w=2
- http://www.cert.org/advisories/CA-2003-19.html
- http://www.cert.org/advisories/CA-2003-23.html
- http://www.kb.cert.org/vuls/id/326746
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-039
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1118
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A494