Vulnerabilities > CVE-2001-0876 - Unspecified vulnerability in Microsoft products

#
# This script was written by John [email protected]
#

# Changes by Tenable:
# - Revised plugin title (9/8/09)


include("compat.inc");

if(description)
{
 script_id(10829);
 script_version("1.26");
 script_cvs_date("Date: 2019/03/06 18:38:55");
# script_cve_id("CVE-2001-0876");
# script_bugtraq_id(3723);
 script_name(english: "UPnP Client Detection");

 script_set_attribute(attribute:"synopsis", value:
"This machine is a UPnP client." );
 script_set_attribute(attribute:"description", value:
"This machine answered to a unicast UPnP NOTIFY packet by trying to
fetch the XML description that Nessus advertised." );
 script_set_attribute(attribute:"risk_factor", value:"None" );
 script_set_attribute(attribute:"solution", value:"n/a" );
 script_set_attribute(attribute:"plugin_publication_date", value: "2001/12/29");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();


 script_summary(english: "UPnP scan");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2001-2019 by John Lampe & Tenable Network Security, Inc.");
 script_family(english: "Service detection");
 exit(0);
}

include('global_settings.inc');
include('misc_func.inc');

if ( TARGET_IS_IPV6 ) exit(0);
if (islocalhost())exit(0);

if (! get_udp_port_state(1900)) exit(0);

#script based on eeye advisory Multiple Remote Windows XP/ME/98 Vulnerabilities

myaddr = compat::this_host();
dstaddr = get_host_ip();
returnport = rand() % 32768 + 32768;

  mystring = string("NOTIFY * HTTP/1.1\r\n");
  mystring = mystring + string("HOST: ", "239.255.255.250" , ":1900\r\n");
  mystring = mystring + string("CACHE-CONTROL: max-age=10\r\n");
  mystring = mystring + string("LOCATION: http://" , myaddr, ":" , returnport , "/foo.xms\r\n");
  mystring = mystring + string("NT: urn:schemas-upnp-org:device:InternetGatewayDevice:1\r\n");
  mystring = mystring + string("NTS: ssdp:alive\r\n");
  mystring = mystring + string("SERVER: NESSUS/2001 UPnP/1.0 product/1.1\r\n");
  mystring = mystring + string("USN: uuid:NESSUS\r\n\r\n");
  len = strlen(mystring);

  ippkt = forge_ip_packet(
        ip_hl   :5,
        ip_v    :4,
        ip_tos  :0,
        ip_len  :20,
        ip_id   :31337,
        ip_off  :0,
        ip_ttl  :64,
        ip_p    :IPPROTO_UDP,
        ip_src  :myaddr
        );


  udppacket = forge_udp_packet(
        ip      :ippkt,
        uh_sport: rand() % 32768 + 32768,
        uh_dport:1900,
        uh_ulen :8 + len,
        data    :mystring
        );

for (i = 0; i < 3; i ++)
{
  filter = strcat("src " , dstaddr , " and (icmp or (tcp and dst port ", returnport, " ))");
  r = send_packet(udppacket, pcap_active:TRUE, pcap_filter:filter, pcap_timeout: 5);
  if (strlen(r) > 20)
  {
    if (ord(r[9]) == 6)
    {
      flags = get_tcp_element(tcp:r, element:"th_flags");
      if (flags & TH_SYN)
      {
        security_note(port:1900,protocol:"udp");
	register_service(port: 1900, proto: "upnp-client", ipproto: "udp");
      }
      exit(0);     
    }
    else if (ord(r[9]) == 1)
    {
      hl = ord(r[0]) & 0xF; hl *= 4;
      if (strlen(r) >= hl + 8)
      {
        type = ord(r[hl + 0]);
        code = ord(r[hl + 1]);
	if (type == 3)
	{
	  if (code == 3)
	    set_kb_item(name: "/tmp/UDP/1900/closed", value: TRUE);
	  exit(0);
	}
      }
    }
  }
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
 script_id(10835);
 script_version("1.35");

 script_cve_id("CVE-2001-0876", "CVE-2001-0877");
 script_bugtraq_id(3723);
 script_xref(name:"MSKB", value:"315000");
 script_xref(name:"MSFT", value:"MS01-059");

 script_name(english:"MS01-059: Unchecked Buffer in Universal Plug and Play can Lead to System Compromise (315000)");
 script_summary(english:"Determines the presence of hotfix Q315000");
 
 script_set_attribute(
  attribute:"synopsis",
  value:
"The Universal Plug and Play service on the remote host is prone to
denial of service and buffer overflow attacks." );
 script_set_attribute(
  attribute:"description", 
  value:
"Using a specially crafted NOTIFY directive, a remote attacker can
cause code to run in the context of the Universal Plug and Play (UPnP)
subsystem or possibly launch a denial of service attack against the
affected host.

Note that, under Windows XP, the UPnP subsystem operates with SYSTEM
privileges." );
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2001/ms01-059");
 script_set_attribute(
  attribute:"solution", 
  value:
"Microsoft has released a set of patches for Windows 98, 98SE, ME, and
XP.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2002/01/25");
 script_set_attribute(attribute:"patch_publication_date", value: "2001/12/20");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/12/20");
 script_cvs_date("Date: 2018/11/15 20:50:32");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");
 family["english"] = "Windows : Microsoft Bulletins";
 script_family(english:family["english"]);
 
 script_dependencies("smb_hotfixes.nasl");
 script_require_keys("SMB/Registry/Enumerated");
 script_require_ports(139, 445);
 exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");


if ( hotfix_check_sp(xp:1) <= 0 ) exit(0);

if ( hotfix_missing(name:"315000") > 0  )
  security_hole(kb_smb_transport());