5248 : Microsoft Windows LSASS Remote Overflow
Printer | http://osvdb.org/5248 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
11	1989	over 7 years ago	about 1 year ago	18 times	100%

Timeline

Vendor Informed Date	Disclosure Date	Exploit Publish Date	Vendor Solution Date
2003-10-08	2004-04-13	2004-04-29	2004-08-10

Time to Patch	Days of Exposure
307 days	103 days

Keywords

sasser

Description

A remote overflow exists in Windows. The LSA (Local Security Authority) Service fails to validate some input received on the LSARPC named pipe over TCP ports 139 and 445 resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Products

Microsoft Corporation	Windows	2000 SP2
		2000 SP3
		2000 SP4
		XP
		XPSP1
		XP 64-bit Edition SP1
		XP 64-Bit Edition 2003
		2003 Server x64
		2003 Server

References

Security Tracker: 1009751
Bugtraq ID: 10108
Secunia Advisory ID: 11064
ISS X-Force ID: 15699
CVE ID: 2003-0533 (see also: NVD)
Milw0rm: 293 295
Exploit Database: 293 295
Metasploit ID: 5248
Related OSVDB ID: 5249 5250 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261
SCIP VulDB ID: 599
CERT VU: 753212
Generic Exploit URL: http://immunitysec.com
http://marc.theaimsgroup.com/?l=bugtraq&m=108325860431471&w=2
http://packetstormsecurity.org/0404-exploits/billybastard.c
http://www.metasploit.com/projects/Framework/exploits.html#lsass_ms04_011
http://www.saintcorporation.com/cgi-bin/exploit_info/windows_lsass
Mail List Post: http://lists.netsys.com/pipermail/full-disclosure/2004-April/020069.html
Packet Storm: http://packetstormsecurity.nl/0405-exploits/sasserftpd.c
http://packetstormsecurity.nl/0405-exploits/win_msrpc_lsass_ms04-11_Ex.c
Other Advisory URL: http://research.eeye.com/html/advisories/published/AD20040413C.html
http://www.eeye.com/html/Research/Advisories/AD20040413C.html [ Link is 404 ]
Microsoft Security Bulletin: MS04-011
CIAC Advisory: o-114
Keyword: sasser
US-CERT Cyber Security Alert: TA04-104A

Tools & Filters

12209

Snort

2508 2511 2514 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 ... and 146 more

Credit

Yuji Ukai - eEye Digital Security

CVSSv2 Score

CVSSv2 Base Score = 7.5
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.