Vulnerabilities > CVE-2003-0818 - Unspecified vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 38 |
Exploit-Db
description MS Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007). CVE-2003-0818. Dos exploit for windows platform id EDB-ID:153 last seen 2016-01-31 modified 2004-02-14 published 2004-02-14 reporter Christophe Devine source https://www.exploit-db.com/download/153/ title Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit MS04-007 description MS Windows ASN.1 Remote Exploit (MS04-007). CVE-2003-0818. Remote exploit for windows platform id EDB-ID:3022 last seen 2016-01-31 modified 2004-03-26 published 2004-03-26 reporter Solar Eclipse source https://www.exploit-db.com/download/3022/ title Microsoft Windows - ASN.1 - Remote Exploit MS04-007 description Microsoft ASN.1 Library Bitstring Heap Overflow. CVE-2003-0818. Remote exploit for windows platform id EDB-ID:16377 last seen 2016-02-01 modified 2010-07-25 published 2010-07-25 reporter metasploit source https://www.exploit-db.com/download/16377/ title Microsoft ASN.1 Library Bitstring Heap Overflow
Metasploit
| description | This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. Windows 2000 SP4 Rollup 1 also patches this vulnerability. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary. |
| id | MSF:EXPLOIT/WINDOWS/SMB/MS04_007_KILLBILL |
| last seen | 2020-06-01 |
| modified | 2019-12-04 |
| published | 2007-02-18 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0818 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms04_007_killbill.rb |
| title | MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-007.NASL description The remote Windows host has a ASN.1 library that is vulnerable to a flaw that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet (either an IPsec session negotiation, or an HTTPS request) with improperly advertised lengths. A public code is available to exploit this flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 12052 published 2004-02-10 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12052 title MS04-007: ASN.1 parsing vulnerability (828028) NASL family Windows NASL id WINDOWS_ASN1_VULN_NTLM.NASL description The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched. last seen 2020-06-01 modified 2020-06-02 plugin id 12054 published 2004-02-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12054 title MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (NTLM) NASL family SMTP problems NASL id MAIL_ASN1_DECODING.NASL description The remote Windows host has an ASN.1 library with multiple integer overflow vulnerabilities. These issues could lead to a heap-based buffer overflow. A remote attacker could exploit these issues to execute arbitrary code. This particular check sent a malformed SMTP authorization packet and determined that the remote host is not patched. last seen 2020-06-01 modified 2020-06-02 plugin id 12065 published 2004-02-18 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12065 title ASN.1 Multiple Integer Overflows (SMTP check) NASL family Windows NASL id HTTP_ASN1_DECODING.NASL description The remote Windows host has an ASN.1 library with a vulnerability that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed HTML authorization packet and determined that the remote host is not patched. last seen 2020-06-01 modified 2020-06-02 plugin id 12055 published 2004-02-15 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12055 title MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (HTTP)
Oval
accepted 2004-03-25T12:00:00.000-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. family windows id oval:org.mitre.oval:def:653 status accepted submitted 2004-02-12T12:00:00.000-04:00 title Windows 2000 ASN.1 Library Integer Overflow Vulnerabilities version 64 accepted 2008-03-24T04:00:51.235-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. family windows id oval:org.mitre.oval:def:796 status accepted submitted 2004-02-12T12:00:00.000-04:00 title Windows NT ASN.1 Library Integer Overflow Vulnerabilities version 71 accepted 2011-05-16T04:03:31.228-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. family windows id oval:org.mitre.oval:def:797 status accepted submitted 2004-02-12T12:00:00.000-04:00 title Windows XP ASN.1 Library Integer Overflow Vulnerabilities version 71 accepted 2004-03-25T12:00:00.000-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. family windows id oval:org.mitre.oval:def:799 status accepted submitted 2004-02-12T12:00:00.000-04:00 title Windows Server 2003 ASN.1 Library Integer Overflow Vulnerabilities version 64
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83044/ms04_007_killbill.rb.txt |
| id | PACKETSTORM:83044 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | Solar Eclipse |
| source | https://packetstormsecurity.com/files/83044/Microsoft-ASN.1-Library-Bitstring-Heap-Overflow.html |
| title | Microsoft ASN.1 Library Bitstring Heap Overflow |
References
- http://marc.info/?l=bugtraq&m=107643836125615&w=2
- http://marc.info/?l=bugtraq&m=107643892224825&w=2
- http://marc.info/?l=ntbugtraq&m=107650972617367&w=2
- http://marc.info/?l=ntbugtraq&m=107650972723080&w=2
- http://www.kb.cert.org/vuls/id/216324
- http://www.kb.cert.org/vuls/id/583108
- http://www.us-cert.gov/cas/techalerts/TA04-041A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-007
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A653
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A796
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A797
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A799