Vulnerabilities > CVE-2003-0807 - Unspecified vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus

Summary

Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.

Nessus

  • NASL familyWindows
    NASL idSMB_KB828741.NASL
    descriptionThe remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system.
    last seen2020-06-01
    modified2020-06-02
    plugin id21655
    published2007-03-16
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21655
    titleMS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(21655);
     script_version("1.25");
     script_cvs_date("Date: 2018/11/15 20:50:28");
    
     script_cve_id("CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124");
     script_bugtraq_id(10121, 10123, 10127, 8811);
     script_xref(name:"MSFT", value:"MS04-012");
     script_xref(name:"MSKB", value:"828741");
    
     script_name(english:"MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)");
     script_summary(english:"Checks for MS04-012");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote host has multiple bugs in its RPC/DCOM implementation
    (828741).
    
    An attacker may exploit one of these flaws to execute arbitrary code
    on the remote system." );
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows NT, 2000, XP and
    2003." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15");
     script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16");
    
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows");
    
     script_dependencies("smb_nativelanman.nasl");
     script_require_keys("Host/OS/smb");
     script_require_ports(135, 139, 445);
     exit(0);
    }
    
    #
    
    include ('smb_func.inc');
    
    function SCMActivatorGetClassObject (socket, type)
    {
     local_var data, ret, resp, code;
    
     data =
    	# struct 1
    	raw_word(w:0) +
    	raw_word(w:0) +
    	raw_dword(d:0) +
    	raw_dword(d:0) +
    	raw_dword(d:0) +
    	raw_word(w:0) +
    	raw_word(w:0) +
    	raw_dword(d:0) + raw_dword(d:0) +
    	raw_dword(d:0) +
    
    	# struct 2
    	raw_dword(d:0) +
    	raw_dword(d:0) +
    
    	# struct4
    	raw_dword(d:0x20000) +
    	raw_dword(d:4) +
    	raw_dword(d:4) +
    	raw_dword(d:0);
    
     ret = dce_rpc_request (code:0x03, data:data);
     send (socket:socket, data:ret);
     resp = recv (socket:socket, length:4096);
     if (isnull(resp))
       return 0;
    
     if (strlen(resp) < 32 || ord(resp[2]) != 3)
       return 0;
    
     # 0x80010110 -> bad dcom header. Path should check it is a local call first and return ACCESS_DENIED
     code = get_dword (blob:resp, pos:24);
     if (code == 0x80010110)
       return 1;
    
     return 0;
    }
    
    
    os = get_kb_item("Host/OS/smb");
    if ( "Windows" >!< os ) exit (0);
    
    
    port = 135;
    
    if ( ! get_port_state(port) ) exit(0);
    soc = open_sock_tcp (port);
    if (!soc) exit (0);
    
    ret = dce_rpc_bind(cid:session_get_cid(), uuid:"00000136-0000-0000-c000-000000000046", vers:0);
    send (socket:soc, data:ret);
    resp = recv (socket:soc, length:4096);
    
    if (!resp)
    {
     close (soc);
     exit (0);
    }
    
    ret = dce_rpc_parse_bind_ack (data:resp);
    if (isnull (ret) || (ret != 0))
    {
     close (soc);
     exit (0);
    }
    
    
    ret = SCMActivatorGetClassObject (socket:soc);
    if (ret == 1)
      security_hole(port);
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS04-012.NASL
    descriptionThe remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system.
    last seen2020-06-01
    modified2020-06-02
    plugin id12206
    published2004-04-13
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12206
    titleMS04-012: Microsoft Hotfix (credentialed check) (828741)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(12206);
     script_version("1.45");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    
     script_cve_id(
       "CVE-2003-0813",
       "CVE-2004-0116",
       "CVE-2003-0807",
       "CVE-2004-0124"
     );
     script_bugtraq_id(10121, 10123, 10127, 8811);
     script_xref(name:"CERT", value:"547820");
     script_xref(name:"CERT", value:"698564");
     script_xref(name:"CERT", value:"212892");
     script_xref(name:"MSFT", value:"MS04-012");
     script_xref(name:"MSKB", value:"828741");
    
     script_name(english:"MS04-012: Microsoft Hotfix (credentialed check) (828741)");
     script_summary(english:"Checks for ms04-012");
    
     script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
     script_set_attribute(attribute:"description", value:
    "The remote host has multiple bugs in its RPC/DCOM implementation
    (828741).
    
    An attacker could exploit one of these flaws to execute arbitrary code
    on the remote system.");
     script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012");
     script_set_attribute(attribute:"solution", value:
    "Microsoft has released a set of patches for Windows NT, 2000, XP and
    2003.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/10");
     script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13");
     script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13");
    
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
     script_family(english:"Windows : Microsoft Bulletins");
    
     script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
     script_require_keys("SMB/MS_Bulletin_Checks/Possible");
     script_require_ports(139, 445, 'Host/patch_management_checks');
     exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS04-012';
    kb = '828741';
    
    kbs = make_list(kb);
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    rootfile = hotfix_get_systemroot();
    if (!rootfile) exit(1, "Failed to get the system root.");
    
    share = hotfix_path2share(path:rootfile);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rpcrt4.dll", version:"5.2.3790.137", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.135", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.6904", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.7230", dir:"\system32", bulletin:bulletin, kb:kb) ||
      hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.33551", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb)
    )
    {
      set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Oval

  • accepted2007-02-20T13:39:26.817-05:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    descriptionBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.
    familywindows
    idoval:org.mitre.oval:def:1030
    statusaccepted
    submitted2004-05-25T12:00:00.000-04:00
    titleWindows Server 2003 COM Internet Services/RPC over HTTP Proxy Component Buffer Overflow
    version65
  • accepted2008-03-24T04:00:55.494-04:00
    classvulnerability
    contributors
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameJohn Hoyland
      organizationCentennial Software
    • nameJonathan Baker
      organizationThe MITRE Corporation
    definition_extensions
    commentMicrosoft Windows NT is installed
    ovaloval:org.mitre.oval:def:36
    descriptionBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.
    familywindows
    idoval:org.mitre.oval:def:969
    statusaccepted
    submitted2004-05-25T12:00:00.000-04:00
    titleWindows NT COM Internet Services/RPC over HTTP Proxy Component Buffer Overflow
    version72
  • accepted2004-07-02T12:00:00.000-04:00
    classvulnerability
    contributors
    nameChristine Walzer
    organizationThe MITRE Corporation
    descriptionBuffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.
    familywindows
    idoval:org.mitre.oval:def:995
    statusaccepted
    submitted2004-05-25T12:00:00.000-04:00
    titleWindows 2000 COM Internet Services/RPC over HTTP Proxy Component Buffer Overflow
    version64