Vulnerabilities > CVE-2000-0851 - Unspecified vulnerability in Microsoft Windows 2000

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
microsoft
nessus
exploit available

Summary

Buffer overflow in the Still Image Service in Windows 2000 allows local users to gain additional privileges via a long WM_USER message, aka the "Still Image Service Privilege Escalation" vulnerability.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1

Exploit-Db

descriptionMicrosoft Windows 2000 Still Image Service Privilege Escalation Vulnerability. CVE-2000-0851. Local exploit for windows platform
idEDB-ID:20209
last seen2016-02-02
modified2000-09-06
published2000-09-06
reporterdildog
sourcehttps://www.exploit-db.com/download/20209/
titleMicrosoft Windows 2000 - Still Image Service Privilege Escalation Vulnerability

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS00-065.NASL
descriptionThe hotfix for the
last seen2020-06-01
modified2020-06-02
plugin id10504
published2000-09-08
reporterThis script is Copyright (C) 2000-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10504
titleMS00-065: Still Image Service Privilege Escalation patch (272736)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10504);
 script_version("1.45");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2000-0851");
 script_bugtraq_id(1651);
 script_xref(name:"MSFT", value:"MS00-065");
 script_xref(name:"MSKB", value:"272736");

 script_name(english:"MS00-065: Still Image Service Privilege Escalation patch (272736)");
 script_summary(english:"Determines whether the hotfix Q272736 is installed");

 script_set_attribute(attribute:"synopsis", value:"A local user can elevate privileges.");
 script_set_attribute(attribute:"description", value:
"The hotfix for the 'Still Image Service Privilege Escalation' problem
has not been applied.

This vulnerability allows a malicious user, who has the right to log
on this host locally, to gain additional privileges on this host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-065");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a patch for Windows 2000.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2000/09/06");
 script_set_attribute(attribute:"patch_publication_date", value:"2000/09/06");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/09/08");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, "Host/patch_management_checks");

 exit(0);
}

include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS00-065';
kb = "272736";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp(win2k:1) <= 0) exit(0, "The host is not affected based on its version / service pack.");


if (hotfix_missing(name:"Q272736") > 0)
{
  if (
    defined_func("report_xml_tag") &&
    !isnull(bulletin) &&
    !isnull(kb)
  ) report_xml_tag(tag:bulletin, value:kb);

  hotfix_security_hole();
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  exit(0);
}
else exit(0, "The host is not affected.");