Vulnerabilities > CVE-2003-0661 - Unspecified vulnerability in Microsoft products

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

microsoft

nessus

NVD

Published: 2003-10-20

Updated: 2019-04-30

Summary

The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information.

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows 2000 * Microsoft Windows 2003 Server Enterprise Microsoft Windows 2003 Server Enterprise_64-Bit Microsoft Windows 2003 Server R2 Microsoft Windows 2003 Server Standard Microsoft Windows 2003 Server Web Microsoft Windows NT 4.0 Microsoft Windows XP *	46

Nessus

NASL family	Windows
NASL id	NETBIOS_MEM_DISCLOSURE.NASL
description	The remote host is running a version of the NetBT name service that suffers from a memory disclosure problem. An attacker may send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a password. An attacker may use this flaw to continuously
last seen	2020-06-01
modified	2020-06-02
plugin id	11830
published	2003-09-04
reporter	This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11830
title	MS03-034: Flaw in NetBIOS Could Lead to Information Disclosure (824105) (uncredentialed check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11830); script_version("1.31"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2003-0661"); script_bugtraq_id(8532); script_xref(name:"MSFT", value:"MS03-034"); script_xref(name:"MSKB", value:"824105"); script_name(english:"MS03-034: Flaw in NetBIOS Could Lead to Information Disclosure (824105) (uncredentialed check)"); script_summary(english:"Tests the NetBT NS mem disclosure"); script_set_attribute(attribute:"synopsis", value: "The remote service is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is running a version of the NetBT name service that suffers from a memory disclosure problem. An attacker may send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a password. An attacker may use this flaw to continuously 'poll' the content of the memory of the remote host and might be able to obtain sensitive information."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-034"); script_set_attribute(attribute:"solution", value:"Microsoft has released patches for Windows NT, 2000, XP, and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/09/04"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_2000"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_2003"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_nt:4.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_xp"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencie("netbios_name_get.nasl"); script_require_keys("SMB/NetBIOS/137", "Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); NETBIOS_LEN = 50; sendata = raw_string( rand()%255, rand()%255, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x43, 0x4B, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x00, 0x00, 0x21, 0x00, 0x01 ); if(!(get_udp_port_state(137))){ exit(0); } soc = open_sock_udp(137); send(socket:soc, data:sendata, length:NETBIOS_LEN); result = recv(socket:soc, length:4096); if(strlen(result) > 58) { pad = hexstr(substr(result, strlen(result) - 58, strlen(result))); close(soc); sleep(1); soc2 = open_sock_udp(137); if(!soc2)exit(0); send(socket:soc2, data:sendata, length:NETBIOS_LEN); result = recv(socket:soc2, length:4096); if(strlen(result) > 58) { pad2 = hexstr(substr(result, strlen(result) - 58, strlen(result))); if(pad != pad2)security_warning(port:137, proto:"udp"); } }

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS03-034.NASL
description	The remote host is running a version of the NetBT name service that suffers from a memory disclosure problem. An attacker could send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a POP password or anything else. An attacker may use this flaw to continuously
last seen	2020-06-01
modified	2020-06-02
plugin id	16299
published	2005-02-03
reporter	This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/16299
title	MS03-034: NetBIOS Name Service Reply Information Leakage (824105) (credentialed check)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(16299); script_version("1.33"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2003-0661"); script_bugtraq_id(8532); script_xref(name:"MSFT", value:"MS03-034"); script_xref(name:"MSKB", value:"824105"); script_name(english:"MS03-034: NetBIOS Name Service Reply Information Leakage (824105) (credentialed check)"); script_summary(english:"Checks the remote registry for MS03-034"); script_set_attribute(attribute:"synopsis", value: "Random portions of memory may be disclosed thru the NetBIOS name service."); script_set_attribute(attribute:"description", value: "The remote host is running a version of the NetBT name service that suffers from a memory disclosure problem. An attacker could send a special packet to the remote NetBT name service, and the reply will contain random arbitrary data from the remote host memory. This arbitrary data may be a fragment from the web page the remote user is viewing, or something more serious like a POP password or anything else. An attacker may use this flaw to continuously 'poll' the content of the memory of the remote host and might be able to obtain sensitive information."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-034"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/09/03"); script_set_attribute(attribute:"patch_publication_date", value:"2003/09/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/03"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS03-034'; kb = '824105'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_NOTE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'3,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Netbt.sys", version:"5.2.3790.69", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:1, file:"Netbt.sys", version:"5.1.2600.1243", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.1", sp:0, file:"Netbt.sys", version:"5.1.2600.117", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"5.0", file:"Netbt.sys", version:"5.0.2195.6783", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"4.0", file:"Netbt.sys", version:"4.0.1381.7224", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_note(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2011-05-16T04:02:48.190-04:00

class

vulnerability

contributors

name Ingrid Skoog
organization The MITRE Corporation
name Ingrid Skoog
organization The MITRE Corporation
name Ingrid Skoog
organization The MITRE Corporation
name Matthew Wojcik
organization The MITRE Corporation
name Jeff Cheng
organization Opsware, Inc.
name Jeff Cheng
organization Opsware, Inc.
name Sudhir Gandhe
organization Secure Elements, Inc.
name Sudhir Gandhe
organization Secure Elements, Inc.
name Shane Shaffer
organization G2, Inc.
name Shane Shaffer
organization G2, Inc.
name Sudhir Gandhe
organization Telos
name Shane Shaffer
organization G2, Inc.

definition_extensions

comment Microsoft Windows 2000 is installed
oval oval:org.mitre.oval:def:85
comment Microsoft Windows Server 2003 (32-bit) is installed
oval oval:org.mitre.oval:def:1870

description

family

windows

oval:org.mitre.oval:def:3483

status

accepted

submitted

2004-07-01T12:00:00.000-04:00

title

NetBT Name Service Information Access Vulnerability

version

Summary

Vulnerable Configurations

Nessus

Oval

References