ID CVE-2003-0352
Summary Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2000:-:advanced_server
    cpe:2.3:o:microsoft:windows_2000:-:advanced_server
  • cpe:2.3:o:microsoft:windows_2000:-:datacenter_server
    cpe:2.3:o:microsoft:windows_2000:-:datacenter_server
  • cpe:2.3:o:microsoft:windows_2000:-:professional
    cpe:2.3:o:microsoft:windows_2000:-:professional
  • cpe:2.3:o:microsoft:windows_2000:-:server
    cpe:2.3:o:microsoft:windows_2000:-:server
  • Microsoft Windows 2000 Advanced Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:datacenter_server
  • Microsoft Windows 2000 Professional SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:professional
  • Microsoft Windows 2000 Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:server
  • Microsoft Windows 2000 Advanced Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:datacenter_server
  • Microsoft Windows 2000 Professional SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:professional
  • Microsoft Windows 2000 Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:server
  • Microsoft Windows 2000 Advanced Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:datacenter_server
  • Microsoft Windows 2000 Professional SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:professional
  • Microsoft Windows 2000 Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:server
  • Microsoft Windows 2000 Advanced Server SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:advanced_server
  • Microsoft Windows 2000 Datacenter Server SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:datacenter_server
  • Microsoft Windows 2000 Professional SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:professional
  • Microsoft Windows 2000 Server SP4
    cpe:2.3:o:microsoft:windows_2000:-:sp4:server
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise:-:64-bit
    cpe:2.3:o:microsoft:windows_2003_server:enterprise:-:64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:r2:-:64-bit
    cpe:2.3:o:microsoft:windows_2003_server:r2:-:64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:r2:-:datacenter_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:r2:-:datacenter_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:standard:-:64-bit
    cpe:2.3:o:microsoft:windows_2003_server:standard:-:64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:web
    cpe:2.3:o:microsoft:windows_2003_server:web
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:-:enterprise_server
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:server
    cpe:2.3:o:microsoft:windows_nt:4.0:-:server
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:terminal_server
    cpe:2.3:o:microsoft:windows_nt:4.0:-:terminal_server
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:-:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server
  • Microsoft Windows 4.0 sp1 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server
  • Microsoft Windows NT Terminal Server 4.0 SP1
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server
  • Microsoft Windows 4.0 sp1 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server
  • Microsoft Windows 4.0 sp2 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server
  • Microsoft Windows NT Terminal Server 4.0 SP2
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server
  • Microsoft Windows 4.0 sp2 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server
  • Microsoft Windows 4.0 sp3 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server
  • Microsoft Windows NT Terminal Server 4.0 SP3
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server
  • Microsoft Windows 4.0 sp3 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server
  • Microsoft Windows 4.0 sp4 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server
  • Microsoft Windows NT Terminal Server 4.0 SP4
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server
  • Microsoft Windows 4.0 sp4 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server
  • Microsoft Windows 4.0 sp5 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server
  • Microsoft Windows NT Terminal Server 4.0 SP5
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server
  • Microsoft Windows 4.0 sp5 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:enterprise_server
  • Microsoft Windows 4.0 sp6 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:server
  • Microsoft Windows NT Terminal Server 4.0 SP6
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server
  • Microsoft Windows 4.0 sp6 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:workstation
  • cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server
  • Microsoft Windows 4.0 sp6a server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server
  • Microsoft Windows NT Terminal Server 4.0 SP6a
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server
  • Microsoft Windows 4.0 sp6a workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation
  • cpe:2.3:o:microsoft:windows_xp:-:64-bit
    cpe:2.3:o:microsoft:windows_xp:-:64-bit
  • cpe:2.3:o:microsoft:windows_xp:-:home
    cpe:2.3:o:microsoft:windows_xp:-:home
  • Microsoft Windows XP Professional Gold
    cpe:2.3:o:microsoft:windows_xp:-:gold:professional
  • cpe:2.3:o:microsoft:windows_xp:-:sp1:64-bit
    cpe:2.3:o:microsoft:windows_xp:-:sp1:64-bit
  • Microsoft Windows XP Service Pack 1 Home Edition
    cpe:2.3:o:microsoft:windows_xp:-:sp1:home
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description Microsoft RPC DCOM Interface Overflow. CVE-2003-0352. Remote exploit for windows platform
    id EDB-ID:16749
    last seen 2016-02-02
    modified 2011-01-11
    published 2011-01-11
    reporter metasploit
    source https://www.exploit-db.com/download/16749/
    title Microsoft RPC DCOM Interface Overflow
  • description Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. CVE-2003-0352. Remote exploit for windows platform
    id EDB-ID:22917
    last seen 2016-02-02
    modified 2003-08-11
    published 2003-08-11
    reporter aT4r@3wdesign.es
    source https://www.exploit-db.com/download/22917/
    title Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
  • description MS Windows (RPC DCOM) Long Filename Overflow Exploit (MS03-026). CVE-2003-0352. Remote exploit for windows platform
    id EDB-ID:100
    last seen 2016-01-31
    modified 2003-09-16
    published 2003-09-16
    reporter ey4s
    source https://www.exploit-db.com/download/100/
    title Microsoft Windows - RPC DCOM Long Filename Overflow Exploit MS03-026
metasploit via4
description This module exploits a stack buffer overflow in the RPCSS service, this vulnerability was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
id MSF:EXPLOIT/WINDOWS/DCERPC/MS03_026_DCOM
last seen 2018-10-08
modified 2017-07-24
published 2006-06-08
reliability Great
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/dcerpc/ms03_026_dcom.rb
title MS03-026 Microsoft RPC DCOM Interface Overflow
nessus via4
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS03-026.NASL
    description The remote host is running a version of Windows affected by several vulnerabilities in its RPC interface and RPCSS Service, that could allow an attacker to execute arbitrary code and gain SYSTEM privileges.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 11790
    published 2003-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11790
    title MS03-026 / MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution (823980 / 824146)
  • NASL family Windows
    NASL id MSRPC_DCOM.NASL
    description The remote version of Windows contains a flaw in the function RemoteActivation() in its RPC interface that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Blaster) are known to exploit this vulnerability in the wild.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 11808
    published 2003-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=11808
    title MS03-026: Microsoft RPC Interface Buffer Overrun (823980) (uncredentialed check)
oval via4
  • accepted 2008-03-24T04:00:20.434-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Jonathan Baker
      organization The MITRE Corporation
    definition_extensions
    comment Microsoft Windows NT is installed
    oval oval:org.mitre.oval:def:36
    description Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
    family windows
    id oval:org.mitre.oval:def:194
    status accepted
    submitted 2004-11-02T12:00:00.000-04:00
    title Windows NT RPCSS DCOM Buffer Overflow (Blaster, Test 2)
    version 70
  • accepted 2011-05-16T04:02:28.554-04:00
    class vulnerability
    contributors
    • name Christine Walzer
      organization The MITRE Corporation
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
    family windows
    id oval:org.mitre.oval:def:2343
    status accepted
    submitted 2005-04-28T12:00:00.000-04:00
    title Windows XP RPCSS DCOM Buffer Overflow (Blaster, Test 2)
    version 68
  • accepted 2011-05-16T04:02:40.510-04:00
    class vulnerability
    contributors
    • name Tiffany Bergeron
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms.
    family windows
    id oval:org.mitre.oval:def:296
    status accepted
    submitted 2003-12-03T12:00:00.000-04:00
    title Windows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 2)
    version 69
packetstorm via4
data source https://packetstormsecurity.com/files/download/83012/ms03_026_dcom.rb.txt
id PACKETSTORM:83012
last seen 2016-12-05
published 2009-11-26
reporter H D Moore
source https://packetstormsecurity.com/files/83012/Microsoft-RPC-DCOM-Interface-Overflow.html
title Microsoft RPC DCOM Interface Overflow
refmap via4
bid 8205
bugtraq
  • 20030716 [LSD] Critical security vulnerability in Microsoft Operating Systems
  • 20030725 The Analysis of LSD's Buffer Overrun in Windows RPC Interface(code revised )
cert
  • CA-2003-16
  • CA-2003-19
cert-vn VU#568148
fulldisc
  • 20030726 Re: The French BUGTRAQ (New Win RPC Exploit)
  • 20030730 rpcdcom Universal offsets
misc http://www.xfocus.org/documents/200307/2.html
ms MS03-026
xf win-rpc-dcom-bo(12629)
saint via4
bid 8205
description Windows RPC DCOM interface buffer overflow
id win_patch_rpc
osvdb 2100
title windows_rpc_dcom
type remote
Last major update 17-10-2016 - 22:32
Published 18-08-2003 - 00:00
Last modified 12-10-2018 - 17:32
Back to Top