Vulnerabilities > CVE-2003-0223 - Unspecified vulnerability in Microsoft products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11683);
 script_version("1.42");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id(
   "CVE-2003-0223",
   "CVE-2003-0224",
   "CVE-2003-0225",
   "CVE-2003-0226"
 );
 script_bugtraq_id(7731, 7733, 7734, 7735);
 script_xref(name:"MSFT", value:"MS03-018");
 script_xref(name:"MSKB", value:"811114");

 script_name(english:"MS03-018: Cumulative Patch for Internet Information Services (11114)");
 script_summary(english:"Determines if HF Q811114 has been installed");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote web server.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of IIS that contains various flaws
that could allow remote attackers to disable this service remotely and
local attackers (or remote attackers with the ability to upload
arbitrary files on this server) to gain SYSTEM level access on this
host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-018");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0, 5.0 and 5.1.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/04/18");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/05/28");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/02");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS03-018';
kb = "811114";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'2,3', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if (hotfix_check_iis_installed() <= 0) audit(AUDIT_NOT_INST, "IIS");

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.1", file:"W3svc.dll", version:"5.1.2600.1166", dir:"\system32\inetsrv", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"W3svc.dll", version:"5.0.2195.6672", dir:"\system32\inetsrv", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"W3svc.dll", version:"4.2.785.1",     dir:"\system32\inetsrv", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]>
#      Added links to the Bugtraq message archive and Microsoft Knowledgebase
#

include("compat.inc");

if(description)
{
  script_id(10844);
  script_version ("1.35");
  script_cvs_date("Date: 2018/11/15 20:50:19");

  script_cve_id("CVE-2003-0223");
  script_bugtraq_id(7731);

  script_name(english:"Microsoft IIS ASP Redirection Function XSS");
  script_summary(english:"Tests for ASP.NET XSS.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a cross-site scripting vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote host contains an ASP.NET installation that is affected by a
cross-site scripting vulnerability. An attacker can exploit this issue
to execute arbitrary HTML or script code in a user's browser within
the security context of the affected site.");
  script_set_attribute(attribute:"see_also", value:"https://msdn.microsoft.com/en-us/library/ms972823.aspx");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/811114/ms03-018-may-2003-cumulative-patch-for-internet-information-services-i");
  script_set_attribute(attribute:"solution", value:
"Microsoft released a patch for this issue. Refer to the supplied link.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/05/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2002/05/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2002/02/05");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:internet_information_server");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl", "cross_site_scripting.nasl");
  script_require_ports("Services/www", 80);
  script_require_keys("www/ASP", "www/iis");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, asp:TRUE);

if(get_kb_item("www/"+ port + "/generic_xss")) exit(0);

# Ensure we only flag an IIS server.
banner = get_http_banner(port:port, exit_on_fail:TRUE);
if ("IIS/" >!< banner) audit(AUDIT_WRONG_WEB_SERVER, port, "Microsoft IIS");

xss_tag = SCRIPT_NAME - ".nasl" + "-" + unixtime();
str = "/~/<script>alert('"+xss_tag+"')</script>.aspx?aspxerrorpath=null";
r = http_send_recv3(port: port, method: 'GET', item: str, exit_on_fail:TRUE);

lookfor = "<script>alert('"+xss_tag+"')</script>";
if (lookfor >< r[2] && r[0] =~ "301|302")
{
  output = extract_pattern_from_resp(pattern:"ST:"+lookfor, string: r[2]);
  if (empty_or_null(output)) output = r[2];
  security_report_v4(
    port       : port,
    severity   : SECURITY_WARNING,
    generic    : TRUE,
    xss        : TRUE,  # XSS KB key
    request    : make_list(build_url(qs:str, port:port)),
    output     : output
  );
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "Microsoft IIS", port);