Microsoft SSL library PCT buffer overflow

Added: 10/13/2006
CVE: CVE-2003-0719
BID: 10116
OSVDB: 5250

Background

The Microsoft Secure Sockets Layer (SSL) library provides support for a number of secure communication protocols, including the Private Communication Technology (PCT) protocol. Since PCT has been superceded by SSL 3.0, the Microsoft SSL library supports it for backwards compatibility only. The Microsoft SSL library is used by many applications, including Microsoft Internet Information Services (IIS).

Problem

A buffer overflow in the Microsoft SSL library when handling the PCT protocol allows remote attackers to execute arbitrary commands by sending a specially crafted message to an application which uses SSL.

Resolution

Apply the patch referenced in Microsoft Security Bulletin 04-011.

References

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.kb.cert.org/vuls/id/586540

Limitations

Exploit works on Microsoft IIS 5.0 and 5.1.

Platforms

Windows 2000
Windows XP

Back to exploit index