ID CVE-2003-0818
Summary Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_2000:-:advanced_server
    cpe:2.3:o:microsoft:windows_2000:-:advanced_server
  • cpe:2.3:o:microsoft:windows_2000:-:professional
    cpe:2.3:o:microsoft:windows_2000:-:professional
  • cpe:2.3:o:microsoft:windows_2000:-:server
    cpe:2.3:o:microsoft:windows_2000:-:server
  • Microsoft Windows 2000 Advanced Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:advanced_server
  • Microsoft Windows 2000 Professional SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:professional
  • Microsoft Windows 2000 Server SP1
    cpe:2.3:o:microsoft:windows_2000:-:sp1:server
  • Microsoft Windows 2000 Advanced Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:advanced_server
  • Microsoft Windows 2000 Professional SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:professional
  • Microsoft Windows 2000 Server SP2
    cpe:2.3:o:microsoft:windows_2000:-:sp2:server
  • Microsoft Windows 2000 Advanced Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:advanced_server
  • Microsoft Windows 2000 Professional SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:professional
  • Microsoft Windows 2000 Server SP3
    cpe:2.3:o:microsoft:windows_2000:-:sp3:server
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise:-:64-bit
    cpe:2.3:o:microsoft:windows_2003_server:enterprise:-:64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:r2:-:64-bit
    cpe:2.3:o:microsoft:windows_2003_server:r2:-:64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:r2:-:datacenter_64-bit
    cpe:2.3:o:microsoft:windows_2003_server:r2:-:datacenter_64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:standard:-:64-bit
    cpe:2.3:o:microsoft:windows_2003_server:standard:-:64-bit
  • cpe:2.3:o:microsoft:windows_2003_server:web
    cpe:2.3:o:microsoft:windows_2003_server:web
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:server
    cpe:2.3:o:microsoft:windows_nt:4.0:-:server
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:terminal_server
    cpe:2.3:o:microsoft:windows_nt:4.0:-:terminal_server
  • cpe:2.3:o:microsoft:windows_nt:4.0:-:workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:-:workstation
  • Microsoft Windows 4.0 sp1 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server
  • Microsoft Windows NT Terminal Server 4.0 SP1
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server
  • Microsoft Windows 4.0 sp1 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation
  • Microsoft Windows 4.0 sp2 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server
  • Microsoft Windows NT Terminal Server 4.0 SP2
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server
  • Microsoft Windows 4.0 sp2 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation
  • Microsoft Windows 4.0 sp3 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server
  • Microsoft Windows NT Terminal Server 4.0 SP3
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server
  • Microsoft Windows 4.0 sp3 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation
  • Microsoft Windows 4.0 sp4 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server
  • Microsoft Windows NT Terminal Server 4.0 SP4
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server
  • Microsoft Windows 4.0 sp4 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation
  • Microsoft Windows 4.0 sp5 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server
  • Microsoft Windows NT Terminal Server 4.0 SP5
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server
  • Microsoft Windows 4.0 sp5 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation
  • Microsoft Windows 4.0 sp6 server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:server
  • Microsoft Windows NT Terminal Server 4.0 SP6
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:terminal_server
  • Microsoft Windows 4.0 sp6 workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6:workstation
  • Microsoft Windows 4.0 sp6a server
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server
  • Microsoft Windows 4.0 sp6a workstation
    cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation
  • cpe:2.3:o:microsoft:windows_xp:-:64-bit
    cpe:2.3:o:microsoft:windows_xp:-:64-bit
  • cpe:2.3:o:microsoft:windows_xp:-:home
    cpe:2.3:o:microsoft:windows_xp:-:home
  • Microsoft Windows XP Professional Gold
    cpe:2.3:o:microsoft:windows_xp:-:gold:professional
  • cpe:2.3:o:microsoft:windows_xp:-:sp1:64-bit
    cpe:2.3:o:microsoft:windows_xp:-:sp1:64-bit
  • Microsoft Windows XP Service Pack 1 Home Edition
    cpe:2.3:o:microsoft:windows_xp:-:sp1:home
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
  • description MS Windows ASN.1 Remote Exploit (MS04-007). CVE-2003-0818. Remote exploit for windows platform
    id EDB-ID:3022
    last seen 2016-01-31
    modified 2004-03-26
    published 2004-03-26
    reporter Solar Eclipse
    source https://www.exploit-db.com/download/3022/
    title Microsoft Windows - ASN.1 - Remote Exploit MS04-007
  • description Microsoft ASN.1 Library Bitstring Heap Overflow. CVE-2003-0818. Remote exploit for windows platform
    id EDB-ID:16377
    last seen 2016-02-01
    modified 2010-07-25
    published 2010-07-25
    reporter metasploit
    source https://www.exploit-db.com/download/16377/
    title Microsoft ASN.1 Library Bitstring Heap Overflow
  • description MS Windows ASN.1 LSASS.EXE Remote Exploit (MS04-007). CVE-2003-0818. Dos exploit for windows platform
    id EDB-ID:153
    last seen 2016-01-31
    modified 2004-02-14
    published 2004-02-14
    reporter Christophe Devine
    source https://www.exploit-db.com/download/153/
    title Microsoft Windows - ASN.1 LSASS.EXE Remote Exploit MS04-007
metasploit via4
description This is an exploit for a previously undisclosed vulnerability in the bit string decoding code in the Microsoft ASN.1 library. This vulnerability is not related to the bit string vulnerability described in eEye advisory AD20040210-2. Both vulnerabilities were fixed in the MS04-007 patch. You are only allowed one attempt with this vulnerability. If the payload fails to execute, the LSASS system service will crash and the target system will automatically reboot itself in 60 seconds. If the payload succeeds, the system will no longer be able to process authentication requests, denying all attempts to login through SMB or at the console. A reboot is required to restore proper functioning of an exploited system. This exploit has been successfully tested with the win32/*/reverse_tcp payloads, however a few problems were encountered when using the equivalent bind payloads. Your mileage may vary.
id MSF:EXPLOIT/WINDOWS/SMB/MS04_007_KILLBILL
last seen 2019-03-16
modified 2017-09-17
published 2006-02-21
reliability Low
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms04_007_killbill.rb
title MS04-007 Microsoft ASN.1 Library Bitstring Heap Overflow
nessus via4
  • NASL family Windows
    NASL id HTTP_ASN1_DECODING.NASL
    description The remote Windows host has an ASN.1 library with a vulnerability that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed HTML authorization packet and determined that the remote host is not patched.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12055
    published 2004-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12055
    title MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (HTTP)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS04-007.NASL
    description The remote Windows host has a ASN.1 library that is vulnerable to a flaw that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet (either an IPsec session negotiation, or an HTTPS request) with improperly advertised lengths. A public code is available to exploit this flaw.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12052
    published 2004-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12052
    title MS04-007: ASN.1 parsing vulnerability (828028)
  • NASL family SMTP problems
    NASL id MAIL_ASN1_DECODING.NASL
    description The remote Windows host has an ASN.1 library with multiple integer overflow vulnerabilities. These issues could lead to a heap-based buffer overflow. A remote attacker could exploit these issues to execute arbitrary code. This particular check sent a malformed SMTP authorization packet and determined that the remote host is not patched.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12065
    published 2004-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12065
    title ASN.1 Multiple Integer Overflows (SMTP check)
  • NASL family Windows
    NASL id WINDOWS_ASN1_VULN_NTLM.NASL
    description The remote Windows host has an ASN.1 library that could allow an attacker to execute arbitrary code on this host. To exploit this flaw, an attacker would need to send a specially crafted ASN.1 encoded packet with improperly advertised lengths. This particular check sent a malformed NTLM packet and determined that the remote host is not patched.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12054
    published 2004-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12054
    title MS04-007: ASN.1 Vulnerability Could Allow Code Execution (828028) (uncredentialed check) (NTLM)
oval via4
  • accepted 2004-03-25T12:00:00.000-04:00
    class vulnerability
    contributors
    name Andrew Buttner
    organization The MITRE Corporation
    description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
    family windows
    id oval:org.mitre.oval:def:653
    status accepted
    submitted 2004-02-12T12:00:00.000-04:00
    title Windows 2000 ASN.1 Library Integer Overflow Vulnerabilities
    version 63
  • accepted 2008-03-24T04:00:51.235-04:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Jonathan Baker
      organization The MITRE Corporation
    definition_extensions
    comment Microsoft Windows NT is installed
    oval oval:org.mitre.oval:def:36
    description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
    family windows
    id oval:org.mitre.oval:def:796
    status accepted
    submitted 2004-02-12T12:00:00.000-04:00
    title Windows NT ASN.1 Library Integer Overflow Vulnerabilities
    version 68
  • accepted 2011-05-16T04:03:31.228-04:00
    class vulnerability
    contributors
    • name Andrew Buttner
      organization The MITRE Corporation
    • name Christine Walzer
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Sudhir Gandhe
      organization Telos
    • name Shane Shaffer
      organization G2, Inc.
    description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
    family windows
    id oval:org.mitre.oval:def:797
    status accepted
    submitted 2004-02-12T12:00:00.000-04:00
    title Windows XP ASN.1 Library Integer Overflow Vulnerabilities
    version 70
  • accepted 2004-03-25T12:00:00.000-04:00
    class vulnerability
    contributors
    name Andrew Buttner
    organization The MITRE Corporation
    description Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.
    family windows
    id oval:org.mitre.oval:def:799
    status accepted
    submitted 2004-02-12T12:00:00.000-04:00
    title Windows Server 2003 ASN.1 Library Integer Overflow Vulnerabilities
    version 63
packetstorm via4
data source https://packetstormsecurity.com/files/download/83044/ms04_007_killbill.rb.txt
id PACKETSTORM:83044
last seen 2016-12-05
published 2009-11-26
reporter Solar Eclipse
source https://packetstormsecurity.com/files/83044/Microsoft-ASN.1-Library-Bitstring-Heap-Overflow.html
title Microsoft ASN.1 Library Bitstring Heap Overflow
refmap via4
bugtraq
  • 20040210 EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
  • 20040210 EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
cert TA04-041A
cert-vn
  • VU#216324
  • VU#583108
ms MS04-007
ntbugtraq
  • 20040210 EEYE: Microsoft ASN.1 Library Bit String Heap Corruption
  • 20040210 EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption
Last major update 17-10-2016 - 22:37
Published 03-03-2004 - 00:00
Last modified 12-10-2018 - 17:33
Back to Top