ID CVE-2003-0533
Summary Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
References
Vulnerable Configurations
  • Microsoft NetMeeting
    cpe:2.3:a:microsoft:netmeeting
  • Microsoft windows 2000_sp2
    cpe:2.3:o:microsoft:windows_2000:-:sp2
  • cpe:2.3:o:microsoft:windows_2000:-:sp4:-:fr
    cpe:2.3:o:microsoft:windows_2000:-:sp4:-:fr
  • cpe:2.3:o:microsoft:windows_2003_server:r2
    cpe:2.3:o:microsoft:windows_2003_server:r2
  • Microsoft windows 98_gold
    cpe:2.3:o:microsoft:windows_98:-:gold
  • Microsoft Windows ME
    cpe:2.3:o:microsoft:windows_me
  • Microsoft Windows 4.0 sp6a
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a
  • Microsoft windows xp_sp1 tablet_pc
    cpe:2.3:o:microsoft:windows_xp:-:sp1:tablet_pc
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description MS Windows XP/2K Lsasrv.dll Remote Universal Exploit (MS04-011). CVE-2003-0533. Remote exploit for windows platform
    id EDB-ID:295
    last seen 2016-01-31
    modified 2004-04-29
    published 2004-04-29
    reporter houseofdabus
    source https://www.exploit-db.com/download/295/
    title Microsoft Windows 2000/XP - Lsasrv.dll Remote Universal Exploit MS04-011
  • description MS Windows Lsasrv.dll RPC Remote Buffer Overflow Exploit (MS04-011). CVE-2003-0533. Remote exploit for windows platform
    id EDB-ID:293
    last seen 2016-01-31
    modified 2004-04-24
    published 2004-04-24
    reporter sbaa
    source https://www.exploit-db.com/download/293/
    title Microsoft Windows - Lsasrv.dll RPC Remote Buffer Overflow Exploit MS04-011
  • description Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow. CVE-2003-0533. Remote exploit for windows platform
    id EDB-ID:16368
    last seen 2016-02-01
    modified 2010-07-03
    published 2010-07-03
    reporter metasploit
    source https://www.exploit-db.com/download/16368/
    title Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
metasploit via4
description This module exploits a stack buffer overflow in the LSASS service, this vulnerability was originally found by eEye. When re-exploiting a Windows XP system, you will need need to run this module twice. DCERPC request fragmentation can be performed by setting 'FragSize' parameter.
id MSF:EXPLOIT/WINDOWS/SMB/MS04_011_LSASS
last seen 2019-03-22
modified 2017-07-24
published 2006-06-19
reliability Good
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms04_011_lsass.rb
title MS04-011 Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
nessus via4
  • NASL family Windows
    NASL id SMB_KB835732.NASL
    description The remote version of Windows contains a flaw in the function 'DsRolerUpgradeDownlevelServer' of the Local Security Authority Server Service (LSASS) that allows an attacker to execute arbitrary code on the remote host with SYSTEM privileges. A series of worms (Sasser) are known to exploit this vulnerability in the wild.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12209
    published 2004-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12209
    title MS04-011: Security Update for Microsoft Windows (835732) (uncredentialed check)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS04-011.NASL
    description The remote host is missing a critical Microsoft Windows Security Update (835732). This update fixes various flaws that could allow an attacker to execute arbitrary code on the remote host. A series of worms (Sasser) are known to exploit this vulnerability in the wild.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12205
    published 2004-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12205
    title MS04-011: Microsoft Hotfix (credentialed check) (835732)
oval via4
  • accepted 2004-05-25T12:00:00.000-04:00
    class vulnerability
    contributors
    name Tiffany Bergeron
    organization The MITRE Corporation
    description Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
    family windows
    id oval:org.mitre.oval:def:883
    status accepted
    submitted 2004-04-13T12:00:00.000-04:00
    title Windows 2000 LSASS Buffer Overflow (Sasser Worm Vulnerability)
    version 63
  • accepted 2015-08-10T04:01:11.631-04:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    • comment Microsoft Windows XP (32-bit) is installed
      oval oval:org.mitre.oval:def:1353
    • comment Microsoft Windows XP SP1 (32-bit) is installed
      oval oval:org.mitre.oval:def:1
    description Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
    family windows
    id oval:org.mitre.oval:def:898
    status accepted
    submitted 2004-04-13T12:00:00.000-04:00
    title Windows XP LSASS Buffer Overflow (Sasser Worm Vulnerability)
    version 74
  • accepted 2015-08-10T04:01:12.047-04:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Maria Mikhno
      organization ALTX-SOFT
    definition_extensions
    comment Microsoft Windows Server 2003 is installed
    oval oval:org.mitre.oval:def:128
    description Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
    family windows
    id oval:org.mitre.oval:def:919
    status accepted
    submitted 2004-04-13T12:00:00.000-04:00
    title Windows Server 2003 LSASS Buffer Overflow (Sasser Worm Vulnerability
    version 68
packetstorm via4
data source https://packetstormsecurity.com/files/download/83189/ms04_011_lsass.rb.txt
id PACKETSTORM:83189
last seen 2016-12-05
published 2009-11-26
reporter H D Moore
source https://packetstormsecurity.com/files/83189/Microsoft-LSASS-Service-DsRolerUpgradeDownlevelServer-Overflow.html
title Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow
refmap via4
bid 10108
bugtraq 20040429 MS04011 Lsasrv.dll RPC buffer overflow remote exploit (PoC)
cert TA04-104A
cert-vn VU#753212
ciac O-114
eeye AD20040413C
fulldisc 20040413 EEYE: Windows Local Security Authority Service Remote Buffer Overflow
ms MS04-011
xf win-lsass-bo(15699)
saint via4
bid 10108
description Windows LSASS buffer overflow
id win_patch_ms04011
osvdb 5248
title windows_lsass
type remote
Last major update 17-10-2016 - 22:35
Published 01-06-2004 - 00:00
Last modified 12-10-2018 - 17:32
Back to Top