A remote overflow exists in the Microsoft Windows SSL library. The library fails to verify a field length during PCT 1.0 protocol negotiation. Any application which negotiates SSL using the Windows API may be vulnerable to this attack. With a specially crafted request, an attacker can execute arbitrary code with LocalSystem privileges, resulting in a loss of integrity.

Windows 2003 includes the vulnerable code, but ships with PCT disabled.

Apply the appropriate patch for your operation system. It is also possible to correct the flaw by implementing the following workaround(s):

1. Open the Registry Editor.
2. Locate the following key:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server

3. In the Edit menu, click Add Value.
4. In the Data Type drop-down list, choose REG_BINARY.
5. In the Value Name text box, type "Enabled" (without the quotation marks) and click OK.
6. In the Binary Editor, set the new keys value to equal 0 by entering the following string: 00000000.
7. Click OK and then restart the computer.

• Bugtraq ID: 10116
• Secunia Advisory ID: 11064
• ISS X-Force ID: 12380
• CVE ID: 2003-0719 (see also: NVD)
• Milw0rm: 275
• Exploit Database: 275
• Related OSVDB ID: 5248 5249 5251 5252 5253 5254 5255 5256 5257 5258 5259 5260 5261
• Metasploit ID: 5250
• Generic Exploit URL: http://immunitysec.com
  http://www.saintcorporation.com/cgi-bin/exploit_info/microsoft_ssl_pct
• Microsoft Security Bulletin: MS04-011
• Microsoft Knowledge Base Article: Q187498
• US-CERT Cyber Security Alert: TA04-104A

• Mark Dowd - Avertavertlabs.com - McAfee Avert(tm) Labs
• Neel Mehta -   -