Signature Detail

MS-RPC: LSASS Malicious OpCode

This signature detects attempts to exploit a known vulnerability in Microsoft Windows Local Security Authority Subsystem Service (LSASS). A successful attack allows attackers to remotely run arbitrary code on the target system. Note: This vulnerability is exploited by many worms.

Extended Description

Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.

Affected Products

• Avaya DefinityOne Media Servers
• Avaya IP600 Media Servers
• Avaya S3400 Message Application Server
• Avaya S8100 Media Servers
• Microsoft Windows 2000 Advanced Server SP1
• Microsoft Windows 2000 Advanced Server SP2
• Microsoft Windows 2000 Advanced Server SP3
• Microsoft Windows 2000 Advanced Server SP4
• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server SP1
• Microsoft Windows 2000 Datacenter Server SP2
• Microsoft Windows 2000 Datacenter Server SP3
• Microsoft Windows 2000 Datacenter Server SP4
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional SP1
• Microsoft Windows 2000 Professional SP2
• Microsoft Windows 2000 Professional SP3
• Microsoft Windows 2000 Professional SP4
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server SP1
• Microsoft Windows 2000 Server SP2
• Microsoft Windows 2000 Server SP3
• Microsoft Windows 2000 Server SP4
• Microsoft Windows 2000 Server
• Microsoft Windows Server 2003 Datacenter Edition
• Microsoft Windows Server 2003 Datacenter Edition Itanium
• Microsoft Windows Server 2003 Enterprise Edition
• Microsoft Windows Server 2003 Enterprise Edition Itanium
• Microsoft Windows Server 2003 Standard Edition
• Microsoft Windows Server 2003 Web Edition
• Microsoft Windows XP 64-bit Edition SP1
• Microsoft Windows XP 64-bit Edition
• Microsoft Windows XP 64-bit Edition Version 2003 SP1
• Microsoft Windows XP 64-bit Edition Version 2003
• Microsoft Windows XP Home SP1
• Microsoft Windows XP Home
• Microsoft Windows XP Professional SP1
• Microsoft Windows XP Professional

References

• BugTraq: 10108
• CVE: CVE-2003-0533
• URL: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
• URL: http://research.eeye.com/html/advisories/published/AD20040413C.html