Vulnerabilities > CVE-2003-0717 - Buffer Overrun vulnerability in Microsoft Windows Messenger Service
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 48 |
Exploit-Db
description MS Windows Messenger Service Denial of Service Exploit (MS03-043). CVE-2003-0717. Dos exploit for windows platform id EDB-ID:111 last seen 2016-01-31 modified 2003-10-18 published 2003-10-18 reporter LSD-PLaNET source https://www.exploit-db.com/download/111/ title Microsoft Windows Messenger Service Denial of Service Exploit MS03-043 description Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability. CVE-2003-0717. Remote exploit for windows platform id EDB-ID:23247 last seen 2016-02-02 modified 2003-10-25 published 2003-10-25 reporter Adik source https://www.exploit-db.com/download/23247/ title Microsoft Windows XP/2000 Messenger Service Buffer Overrun Vulnerability description MS Messenger Denial of Service Exploit (MS03-043) (linux ver). CVE-2003-0717. Dos exploit for windows platform id EDB-ID:385 last seen 2016-01-31 modified 2004-08-08 published 2004-08-08 reporter VeNoMouS source https://www.exploit-db.com/download/385/ title Microsoft Messenger Denial of Service Exploit MS03-043 linux ver description MS Windows Messenger Service Remote Exploit FR (MS03-043). CVE-2003-0717. Remote exploit for windows platform id EDB-ID:135 last seen 2016-01-31 modified 2003-12-16 published 2003-12-16 reporter MrNice source https://www.exploit-db.com/download/135/ title Microsoft Windows Messenger Service Remote Exploit FR MS03-043
Nessus
NASL family Windows NASL id MESSENGER_MS03-043.NASL description A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually tests for the presence of this flaw. last seen 2020-06-01 modified 2020-06-02 plugin id 11890 published 2003-10-16 reporter This script is Copyright (C) 2003-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11890 title MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # # 10/22/2003 updated by KK Liu 10/22/2003 # - check messenger service, if not on - exit # - check Windows OS # include("compat.inc"); if (description) { script_id(11890); script_version("1.50"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id("CVE-2003-0717"); script_bugtraq_id(8826); script_xref(name:"MSFT", value:"MS03-043"); script_xref(name:"MSKB", value:"828035"); script_name(english:"MS03-043: Buffer Overrun in Messenger Service (828035) (uncredentialed check)"); script_summary(english:"Checks for hotfix Q828035"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "A security vulnerability exists in the Messenger Service that could allow arbitrary code execution on an affected system. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system or could cause the Messenger Service to fail. Disabling the Messenger Service will prevent the possibility of attack. This plugin actually tests for the presence of this flaw." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-043"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2019 Tenable Network Security, Inc."); script_family(english:"Windows"); script_require_ports(135, 593); exit(0); } # # The idea is to send a malformed message to the remote RPC # messenger service. # If the service is installed we receive an error message in return # If the service is not installed, we receive a RPC unknown_if message # # Nothing gets printed on the remote screen. # # check messenger service, if not on - exit debug = 0; if ( TARGET_IS_IPV6 ) exit(0); #if(!get_kb_item("SMB/messenger")) #{ # if (debug) display("Messenger Service disabled!\n"); # exit(0); #} function dcom_recv(socket) { local_var buf, len; buf = recv(socket:socket, length:9); if(strlen(buf) != 9)return NULL; len = ord(buf[8]); buf += recv(socket:socket, length:len - 9); return buf; } function check_win9xme(port) { local_var chk, bindwinme, soc, rwinme, lenwinme, stubwinme, recv; chk[3] = raw_string (0x02,0x00,0x01,0x00); bindwinme = raw_string( 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41, 0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00, 0xe6,0x73,0x0c,0xe6,0xf9,0x88,0xcf,0x11,0x9a,0xf1,0x00,0x20,0xaf,0x6e,0x72,0xf4, 0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00, 0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00 ); soc = open_sock_tcp(port); if(soc) { send(socket:soc,data:bindwinme); rwinme = dcom_recv(socket:soc); if(!strlen(rwinme))exit(0); lenwinme = strlen(rwinme); if(lenwinme < 24 ) exit(0); stubwinme = substr(rwinme, lenwinme-24, lenwinme-21); if (debug) { display('len = ', lenwinme, '\n'); display('stub = ', hexstr(stubwinme), '\n'); display('r = ', hexstr(rwinme), '\n'); } if (stubwinme >< chk[3]) { if (debug) display("Windows 95/98/ME not affected!\n"); exit(0); } close(soc); } else exit(0); } function check_XP(port) { local_var bindxp, req, soc, recv, len; bindxp = raw_string( 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0xcc, 0x00, 0x00, 0x00, 0x84, 0x67, 0xbe, 0x18, 0x31, 0x14, 0x5c, 0x16, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xb8, 0x4a, 0x9f, 0x4d, 0x1c, 0x7d, 0xcf, 0x11, 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x01, 0x00, 0x0a, 0x42, 0x24, 0x0a, 0x00, 0x17, 0x21, 0x41, 0x2e, 0x48, 0x01, 0x1d, 0x13, 0x0b, 0x04, 0x4d, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0xb0, 0x01, 0x52, 0x97, 0xca, 0x59, 0xcf, 0x11, 0xa8, 0xd5, 0x00, 0xa0, 0xc9, 0x0d, 0x80, 0x51, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 ); req = raw_string ( 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00 ); soc = open_sock_tcp(port); if(soc) { send(socket:soc,data:bindxp); recv = dcom_recv(socket:soc); if(!strlen(recv))exit(0); send(socket:soc,data:req); recv = dcom_recv(socket:soc); if(!strlen(recv))exit(0); len = strlen(recv); if (debug) { display('len = ', len, '\n'); } if (len == 32) { if (debug) display("Windows XP found!\n"); close(soc); return (1); } close(soc); return (0); } else exit(0); } function check_NT2K(port) { local_var req, bindNT2K, soc, recv, len; bindNT2K = raw_string( 0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00, 0x00,0x00,0x7F,0x00,0x00,0x00,0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00, 0x00,0x00,0x01,0x00,0x01,0x00,0xA0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00, 0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x04,0x5D,0x88,0x8a,0xEB,0x1C, 0xC9,0x11,0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00); req = raw_string ( 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xaa, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x80, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x63, 0x29, 0x20, 0x75, 0x65, 0x72, 0x84, 0x20, 0x73, 0x73, 0x53, 0x20, 0x82, 0x80, 0x67, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1d, 0x94, 0x5e, 0x96, 0xbf, 0xcd, 0x11, 0xb5, 0x79, 0x08, 0x00, 0x2b, 0x30, 0xbf, 0xeb, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x00, 0x00, 0x41, 0x00, 0x41, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x24, 0x00, 0x5c, 0x00, 0x41, 0x00, 0x2e, 0x00, 0x74, 0x00, 0x78, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x58, 0x73, 0x0b, 0x00, 0x01, 0x00, 0x00, 0x00, 0x31, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00 ); soc = open_sock_tcp(port); if(soc) { send(socket:soc,data:bindNT2K); recv = dcom_recv(socket:soc); if(!strlen(recv))exit(0); send(socket:soc,data:req); recv = dcom_recv(socket:soc); if(!strlen(recv))exit(0); len = strlen(recv); if (debug) { display('len = ', len, '\n'); } if (len == 32) { if (debug) display("Windows NT found! Probe not available yet!\n"); close(soc); #exit(0); return (1); } else { if (debug) display("Windows 2000 found!\n"); } close(soc); return (1); } else exit(0); } function check_winos() { local_var port,soc; port = 135; if(!get_port_state(port)) { port = 593; if ( ! get_port_state(port) ) exit(0); } else { soc = open_sock_tcp(port); if(!soc) { if ( ! get_port_state(593) ) exit(0); else port = 593; } else close(soc); } check_win9xme(port:port); check_XP(port:port); check_NT2K(port:port); } function check_rpc_serv() { local_var seq1, seq2, sport, req, ip, myudp, filter, i, rep, code, data; seq1 = rand() % 256; seq2 = rand() % 256; sport = 2048 + rand() % 4096; req = raw_string(0x04, 0x00, 0x28, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0x91, 0x7b, 0x5a, 0x00, 0xff, 0xd0, 0x11, 0xa9, 0xb2, 0x00, 0xc0, 0x4f, 0xb6, 0xe6, 0xfc, 0x04, 0x00, seq1, seq2, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0c, 0x0d, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, seq1, seq2, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00) + "TENABLE" + raw_string(0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00) + "tst" + raw_string(0) ; ip = forge_ip_packet(ip_hl : 5, ip_v: 4, ip_tos:0, ip_len:20, ip_id:rand(), ip_off:0, ip_ttl:64, ip_p:IPPROTO_UDP, ip_src:compat::this_host()); # The reply comes from a different port than port 135 myudp = forge_udp_packet(ip:ip, uh_sport:sport, uh_dport:135, uh_ulen: 8 + strlen(req), data:req); filter = 'udp and dst port ' + sport + ' and src host ' + get_host_ip(); for(i=0;i<3;i++) { rep = send_packet(myudp, pcap_active:TRUE, pcap_filter:filter, pcap_timeout:1); if(rep) { sport = get_udp_element(udp:rep, element:"uh_sport"); if ( sport == 135 ) exit(0); data = get_udp_element(udp:rep, element:"data"); code = substr(data, strlen(data) - 4, strlen(data) - 1); if("f7060000" >< hexstr(code) || "0300011c" >< hexstr(code)){ security_hole(port:135, proto:"udp"); exit(0);} break; } } } check_winos(); check_rpc_serv();
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS03-043.NASL description The remote version of Windows contains a Heap Overflow in the Messenger service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Gaobot, Agobot, ...) are known to exploit this vulnerability in the wild. last seen 2020-06-01 modified 2020-06-02 plugin id 11888 published 2003-10-15 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11888 title MS03-043: Buffer Overrun in Messenger Service (828035) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11888); script_version("1.51"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id("CVE-2003-0717"); script_bugtraq_id(8826); script_xref(name:"MSFT", value:"MS03-043"); script_xref(name:"CERT", value:"575892"); script_xref(name:"MSKB", value:"828035"); script_name(english:"MS03-043: Buffer Overrun in Messenger Service (828035)"); script_summary(english:"Checks for hotfix Q828035"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote version of Windows contains a Heap Overflow in the Messenger service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Gaobot, Agobot, ...) are known to exploit this vulnerability in the wild."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-043"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS03-043'; kb = '828035'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Msgsvc.dll", version:"5.2.3790.90", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Msgsvc.dll", version:"5.1.2600.1309", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Msgsvc.dll", version:"5.1.2600.121", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Msgsvc.dll", version:"5.0.2195.6861", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Msgsvc.dll", version:"4.0.1381.7236", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Msgsvc.dll", version:"4.0.1381.33553", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2011-10-03T04:00:04.092-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Pradeep R B organization SecPod Technologies
description The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. family windows id oval:org.mitre.oval:def:213 status accepted submitted 2003-10-16T12:00:00.000-04:00 title Windows 2000 Messenger Service Buffer Overflow version 67 accepted 2011-10-03T04:00:05.259-04:00 class vulnerability contributors name Tiffany Bergeron organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Brendan Miles organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Pradeep R B organization SecPod Technologies
description flow attack. family windows id oval:org.mitre.oval:def:268 status accepted submitted 2003-10-28T12:00:00.000-04:00 title Windows XP Messenger Service Buffer Overflow version 73
Seebug
bulletinFamily | exploit |
description | <p><strong>漏洞描述:</strong></p><p>Microsoft Windows是微软开发的视窗操作系统,Windows Messenger服务用于服务器与客户端之间互相发送一些短消息。Microsoft Windows Messenger服务存在堆溢出问题,远程攻击者可以利用这个漏洞以系统权限在目标机器上执行任意指令。 问题存在于Messenger服务程序的search-by-name函数中,攻击者提交特定序列的字符串给这个函数可造成堆溢出,精心构建提交数据可能以系统权限在目标机器上执行任意指令。 消息通过NetBIOS或者RPC提交给消息服务,因此可以通过封闭NETBIOS端口(137-139)和使用防火墙过滤UDP广播包来阻挡此类消息。</p><p><strong>漏洞影响:</strong></p><p>•Microsoft Windows NT Workstation 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 </p><p>•Microsoft Windows 2000, Service Pack 2, Service Pack 3, Service Pack 4 </p><p>•Microsoft Windows XP Gold, Service Pack 1</p><p>•Microsoft Windows XP 64-bit Edition </p><p>•Microsoft Windows XP 64-bit Edition Version 2003 </p><p>•Microsoft Windows Server 2003</p><p>•Microsoft Windows Server 2003 64-bit Edition</p><p><strong>CVE-ID:CVE-2003-0717 </strong></p><p><strong>CNNVD-ID:CNNVD-200311-085</strong></p><p><strong>CNVD-ID:CNVD-2003-3088 </strong></p><p><strong>解决方案:</strong></p><p>Microsoft </p><p>--------- </p><p>Microsoft已经为此发布了一个安全公告(MS03-043)以及相应补丁:</p><p>MS03-043:Buffer Overrun in Messenger Service Could Allow Code Execution (828035)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS03-043.asp">http://www.microsoft.com/technet/security/bulletin/MS03-043.asp</a></p><p>补丁下载:</p><p>* Microsoft Windows NT Workstation 4.0, Service Pack 6a <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=7597FCF4-6615-4074-9E46-A17D808ED38D&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=7597FCF4-6615-4074-9E46-A17D808ED38D&displaylang=en</a> </p><p>* Microsoft Windows NT Server 4.0, Service Pack 6a <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=B1949456-996A-485A-9A28-79FD79F26A1B&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=B1949456-996A-485A-9A28-79FD79F26A1B&displaylang=en</a> </p><p>* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=64AB4B66-1A6E-4264-93A8-26CDB98B05A8&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=64AB4B66-1A6E-4264-93A8-26CDB98B05A8&displaylang=en</a></p><p> * Microsoft Windows 2000, Service Pack 2 </p><p><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=A0061377-1683-4C13-9527-5534F6C7CF85&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=A0061377-1683-4C13-9527-5534F6C7CF85&displaylang=en</a> </p><p>* Microsoft Windows 2000, Service Pack 3, Service Pack 4 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=99F1B40D-906A-4945-A021-4B494CCCBDE0&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=99F1B40D-906A-4945-A021-4B494CCCBDE0&displaylang=en</a> </p><p>* Microsoft Windows XP Gold, Service Pack 1 </p><p><a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en</a></p><p> * Microsoft Windows XP 64-bit Edition <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en</a> </p><p>* Microsoft Windows XP 64-bit Edition Version 2003 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E&displaylang=en</a> </p><p>* Microsoft Windows Server 2003 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=1DF106F3-7EC4-4EB0-9143-C1E3C9E2F5F8&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=1DF106F3-7EC4-4EB0-9143-C1E3C9E2F5F8&displaylang=en</a></p><p> * Microsoft Windows Server 2003 64-bit Edition <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=8B990946-84C8-4C91-899C-5A44EC13174E&displaylang=en</a></p> |
id | SSV:15333 |
last seen | 2017-11-19 |
modified | 2004-08-08 |
published | 2004-08-08 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-15333 |
title | MS Messenger Denial of Service Exploit (MS03-043) (linux ver) |
References
- http://marc.info/?l=bugtraq&m=106666713812158&w=2
- http://marc.info/?l=ntbugtraq&m=106632188709562&w=2
- http://www.cert.org/advisories/CA-2003-27.html
- http://www.kb.cert.org/vuls/id/575892
- http://www.securityfocus.com/bid/8826
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-043
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A213
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A268