Last Modified: Oct. 12, 2018
Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.
Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: Partial
Base Score: 7.5
Exploitability Score: 10.0
Impact Score: 6.4
CVSS V2: AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD-CWE-Other
['alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"MALWARE-OTHER sasser attempt"; flow:to_server,established; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"9"; dce_stub_data; content:"|EC 03 00 00|"; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:trojan-activity; sid:9419; rev:10; )\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"MALWARE-OTHER korgo attempt"; flow:to_server,established; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"9"; dce_stub_data; content:"|AD 0D 00 00|",depth 4; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:trojan-activity; sid:9420; rev:13; )\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:to_server,established; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"9"; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2508; rev:24; )\n', 'alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"9"; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop,ruleset community; service:netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:22; )\n', 'alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerGetPrimaryDomainInformation attempt"; flow:to_server,established; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"0"; service:netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5095; rev:12; )\n', 'alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerGetPrimaryDomainInformation attempt"; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"0"; metadata:policy max-detect-ips drop; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:protocol-command-decode; sid:5096; rev:11; )\n', '# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2508; rev:24;)\n', '# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:22;)\n']
| Condition | Configuration | |
|---|---|---|
| OR | ||
| OR | ||
| cpe:2.3:a:microsoft:netmeeting:*:*:*:*:*:*:*:* Part: a Vendor: microsoft | Alle Schwachstellen für microsoft | |
| Condition | Configuration | |
|---|---|---|
| OR | ||
| OR | ||
| cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
| cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
| cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
| cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
| cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
| cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
| cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:* Part: o Vendor: microsoft | Alle Schwachstellen für microsoft | |
<?xml version="1.0" ?>
<set operator="and">
<set operator="or">
<set operator="or">
<prop key="application" value="cpe:2.3:a:microsoft:netmeeting:*:*:*:*:*:*:*:*"/>
</set>
<set operator="or">
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_2003_server:r2:*:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_2000:*:sp4:*:fr:*:*:*:*"/>
<prop key="operating_system" value="cpe:2.3:o:microsoft:windows_98:*:gold:*:*:*:*:*:*"/>
</set>
</set>
<prop key="program_influence" value="input"/>
<prop key="range" value="remote"/>
</set>
<?xml version="1.0" ?>
<set operator="and">
<prop key="target" value="host"/>
<set operator="or">
<prop key="program_influence" value="input"/>
<prop key="program_influence" value="output"/>
<prop key="program_influence" value="existence"/>
</set>
<prop key="data" value="any"/>
<set operator="or">
<prop key="data_influence" value="read"/>
<prop key="data_influence" value="write"/>
<prop key="data_influence" value="delete"/>
</set>
<set operator="or">
<prop key="range" value="remote"/>
<prop key="range" value="local"/>
</set>
</set>