Vulnerabilities > CVE-2003-0661 - Unspecified vulnerability in Microsoft products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
microsoft
nessus

Summary

The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.

Nessus

  • NASL familyWindows
    NASL idNETBIOS_MEM_DISCLOSURE.NASL
    descriptionThe remote host is running a version of the NetBT name service that suffers from a memory disclosure problem. An attacker may send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a password. An attacker may use this flaw to continuously
    last seen2020-06-01
    modified2020-06-02
    plugin id11830
    published2003-09-04
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11830
    titleMS03-034: Flaw in NetBIOS Could Lead to Information Disclosure (824105) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(11830);
     script_version("1.31");
     script_cvs_date("Date: 2018/11/15 20:50:27");
    
     script_cve_id("CVE-2003-0661");
     script_bugtraq_id(8532);
     script_xref(name:"MSFT", value:"MS03-034");
     script_xref(name:"MSKB", value:"824105");
    
     script_name(english:"MS03-034: Flaw in NetBIOS Could Lead to Information Disclosure (824105) (uncredentialed check)");
     script_summary(english:"Tests the NetBT NS mem disclosure");
    
     script_set_attribute(attribute:"synopsis", value:
    "The remote service is affected by an information disclosure
    vulnerability.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running a version of the NetBT name service that
    suffers from a memory disclosure problem.
    
    An attacker may send a special packet to the remote NetBT name
    service, and the reply will contain random arbitrary data from the
    remote host memory. This arbitrary data may be a fragment from the web
    page the remote user is viewing, or something more serious like a
    password.
    
    An attacker may use this flaw to continuously 'poll' the content of
    the memory of the remote host and might be able to obtain sensitive
    information.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-034");
     script_set_attribute(attribute:"solution", value:"Microsoft has released patches for Windows NT, 2000, XP, and 2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/03");
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/09/04");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_2000");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_2003");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_nt:4.0");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_xp");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
    
     script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencie("netbios_name_get.nasl");
     script_require_keys("SMB/NetBIOS/137", "Settings/ParanoidReport");
    
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    NETBIOS_LEN = 50;
    
    sendata = raw_string(
    rand()%255, rand()%255, 0x00, 0x00, 0x00,
    0x01, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x43, 0x4B,
    0x41, 0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41,
    0x00, 0x00, 0x21, 0x00, 0x01
    			);
    
    
    if(!(get_udp_port_state(137))){
    	exit(0);
    	}
    
    soc = open_sock_udp(137);
    send(socket:soc, data:sendata, length:NETBIOS_LEN);
    
    result = recv(socket:soc, length:4096);
    if(strlen(result) > 58)
    {
     pad = hexstr(substr(result, strlen(result) - 58, strlen(result)));
     close(soc);
    
     sleep(1);
    
     soc2 = open_sock_udp(137);
     if(!soc2)exit(0);
     send(socket:soc2, data:sendata, length:NETBIOS_LEN);
     result = recv(socket:soc2, length:4096);
     if(strlen(result) > 58)
     {
      pad2 = hexstr(substr(result, strlen(result) - 58, strlen(result)));
      if(pad != pad2)security_warning(port:137, proto:"udp");
     }
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS03-034.NASL
    descriptionThe remote host is running a version of the NetBT name service that suffers from a memory disclosure problem. An attacker could send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a POP password or anything else. An attacker may use this flaw to continuously
    last seen2020-06-01
    modified2020-06-02
    plugin id16299
    published2005-02-03
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16299
    titleMS03-034: NetBIOS Name Service Reply Information Leakage (824105) (credentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(16299);
     script_version("1.33");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id("CVE-2003-0661");
     script_bugtraq_id(8532);
     script_xref(name:"MSFT", value:"MS03-034");
     script_xref(name:"MSKB", value:"824105");
    
     script_name(english:"MS03-034: NetBIOS Name Service Reply Information Leakage (824105) (credentialed check)");
     script_summary(english:"Checks the remote registry for MS03-034");
    
     script_set_attribute(attribute:"synopsis", value:
    "Random portions of memory may be disclosed thru the NetBIOS name
    service.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running a version of the NetBT name service that
    suffers from a memory disclosure problem.
    
    An attacker could send a special packet to the remote NetBT name
    service, and the reply will contain random arbitrary data from the
    remote host memory.  This arbitrary data may be a fragment from the web
    page the remote user is viewing, or something more serious like a POP
    password or anything else.
    
    An attacker may use this flaw to continuously 'poll' the content of the
    memory of the remote host and might be able to obtain sensitive
    information.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-034");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows NT, 2000, XP and
    2003.");
     script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
     script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/03");
     script_set_attribute(attribute:"patch_publication_date", value:"2003/09/03");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/03");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS03-034';
    kb = '824105';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_NOTE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.2", sp:0, file:"Netbt.sys", version:"5.2.3790.69", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"Netbt.sys", version:"5.1.2600.1243", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:0, file:"Netbt.sys", version:"5.1.2600.117", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0", file:"Netbt.sys", version:"5.0.2195.6783", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"4.0", file:"Netbt.sys", version:"4.0.1381.7224", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_note();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Oval

accepted2011-05-16T04:02:48.190-04:00
classvulnerability
contributors
  • nameIngrid Skoog
    organizationThe MITRE Corporation
  • nameIngrid Skoog
    organizationThe MITRE Corporation
  • nameIngrid Skoog
    organizationThe MITRE Corporation
  • nameMatthew Wojcik
    organizationThe MITRE Corporation
  • nameJeff Cheng
    organizationOpsware, Inc.
  • nameJeff Cheng
    organizationOpsware, Inc.
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
  • nameSudhir Gandhe
    organizationTelos
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Windows 2000 is installed
    ovaloval:org.mitre.oval:def:85
  • commentMicrosoft Windows Server 2003 (32-bit) is installed
    ovaloval:org.mitre.oval:def:1870
descriptionThe NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.
familywindows
idoval:org.mitre.oval:def:3483
statusaccepted
submitted2004-07-01T12:00:00.000-04:00
titleNetBT Name Service Information Access Vulnerability
version49