Vulnerabilities > CVE-2003-0807 - Remote Denial Of Service vulnerability in Microsoft Windows COM Internet Service/RPC Over HTTP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 5 |
Nessus
NASL family Windows NASL id SMB_KB828741.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 21655 published 2007-03-16 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21655 title MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21655); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124"); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)"); script_summary(english:"Checks for MS04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(135, 139, 445); exit(0); } # include ('smb_func.inc'); function SCMActivatorGetClassObject (socket, type) { local_var data, ret, resp, code; data = # struct 1 raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + # struct 2 raw_dword(d:0) + raw_dword(d:0) + # struct4 raw_dword(d:0x20000) + raw_dword(d:4) + raw_dword(d:4) + raw_dword(d:0); ret = dce_rpc_request (code:0x03, data:data); send (socket:socket, data:ret); resp = recv (socket:socket, length:4096); if (isnull(resp)) return 0; if (strlen(resp) < 32 || ord(resp[2]) != 3) return 0; # 0x80010110 -> bad dcom header. Path should check it is a local call first and return ACCESS_DENIED code = get_dword (blob:resp, pos:24); if (code == 0x80010110) return 1; return 0; } os = get_kb_item("Host/OS/smb"); if ( "Windows" >!< os ) exit (0); port = 135; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"00000136-0000-0000-c000-000000000046", vers:0); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } ret = SCMActivatorGetClassObject (socket:soc); if (ret == 1) security_hole(port);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-012.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 12206 published 2004-04-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12206 title MS04-012: Microsoft Hotfix (credentialed check) (828741) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12206); script_version("1.45"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124" ); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"CERT", value:"547820"); script_xref(name:"CERT", value:"698564"); script_xref(name:"CERT", value:"212892"); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Microsoft Hotfix (credentialed check) (828741)"); script_summary(english:"Checks for ms04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-012'; kb = '828741'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rpcrt4.dll", version:"5.2.3790.137", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.135", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.6904", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.7230", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.33551", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2007-02-20T13:39:26.817-05:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation
description Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. family windows id oval:org.mitre.oval:def:1030 status accepted submitted 2004-05-25T12:00:00.000-04:00 title Windows Server 2003 COM Internet Services/RPC over HTTP Proxy Component Buffer Overflow version 65 accepted 2008-03-24T04:00:55.494-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name John Hoyland organization Centennial Software name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. family windows id oval:org.mitre.oval:def:969 status accepted submitted 2004-05-25T12:00:00.000-04:00 title Windows NT COM Internet Services/RPC over HTTP Proxy Component Buffer Overflow version 72 accepted 2004-07-02T12:00:00.000-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation description Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. family windows id oval:org.mitre.oval:def:995 status accepted submitted 2004-05-25T12:00:00.000-04:00 title Windows 2000 COM Internet Services/RPC over HTTP Proxy Component Buffer Overflow version 64
References
- http://securitytracker.com/alerts/2004/Apr/1009762.html
- http://www.ciac.org/ciac/bulletins/o-115.shtml
- http://www.kb.cert.org/vuls/id/698564
- http://www.securityfocus.com/bid/10123
- http://www.us-cert.gov/cas/techalerts/TA04-104A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-012
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15709
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1030
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A969
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A995