Vulnerabilities > CVE-2003-0812 - Remote Buffer Overflow vulnerability in Microsoft Windows 2000 and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 11 |
Exploit-Db
description MS Windows 2000/XP Workstation Service Overflow (MS03-049). CVE-2003-0812. Remote exploit for windows platform id EDB-ID:119 last seen 2016-01-31 modified 2003-11-12 published 2003-11-12 reporter eEYe source https://www.exploit-db.com/download/119/ title Microsoft Windows 2000/XP - Workstation Service Overflow MS03-049 description MS Windows XP Workstation Service Remote Exploit (MS03-049). CVE-2003-0812. Remote exploit for windows platform id EDB-ID:130 last seen 2016-01-31 modified 2003-12-04 published 2003-12-04 reporter fiNis source https://www.exploit-db.com/download/130/ title Microsoft Windows XP Workstation Service Remote Exploit MS03-049 description MS Windows Workstation Service WKSSVC Remote Exploit (MS03-049). CVE-2003-0812. Remote exploit for windows platform id EDB-ID:123 last seen 2016-01-31 modified 2003-11-14 published 2003-11-14 reporter snooq source https://www.exploit-db.com/download/123/ title Microsoft Windows Workstation Service WKSSVC Remote Exploit MS03-049 description Microsoft Workstation Service NetAddAlternateComputerName Overflow. CVE-2003-0812. Remote exploit for windows platform id EDB-ID:16378 last seen 2016-02-01 modified 2010-05-09 published 2010-05-09 reporter metasploit source https://www.exploit-db.com/download/16378/ title Microsoft Workstation Service NetAddAlternateComputerName Overflow
Metasploit
description | This module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP. |
id | MSF:EXPLOIT/WINDOWS/SMB/MS03_049_NETAPI |
last seen | 2020-01-12 |
modified | 2017-07-24 |
published | 2006-09-10 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0812 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms03_049_netapi.rb |
title | MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS03-049.NASL |
description | The remote version of Windows contains a flaw in the function NetpValidateName() in the WorkStation service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Welchia, Spybot, ...) are known to exploit this vulnerability in the wild. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 11921 |
published | 2003-11-11 |
reporter | This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/11921 |
title | MS03-049: Buffer Overflow in the Workstation Service (828749) |
code |
|
Oval
accepted 2011-10-03T04:00:05.904-04:00 class vulnerability contributors name Andrew Buttner organization The MITRE Corporation name Andrew Buttner organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Pradeep R B organization SecPod Technologies
description Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. family windows id oval:org.mitre.oval:def:331 status accepted submitted 2003-11-12T12:00:00.000-04:00 title Windows XP Workstation Service Logging Function Buffer Overflow version 73 accepted 2011-10-03T04:00:06.592-04:00 class vulnerability contributors name Tiffany Bergeron organization The MITRE Corporation name Pradeep R B organization SecPod Technologies
description Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. family windows id oval:org.mitre.oval:def:575 status accepted submitted 2003-11-12T12:00:00.000-04:00 title Windows 2000 Workstation Service Logging Function Buffer Overflow version 66
Packetstorm
data source | https://packetstormsecurity.com/files/download/83213/ms03_049_netapi.rb.txt |
id | PACKETSTORM:83213 |
last seen | 2016-12-05 |
published | 2009-11-26 |
reporter | H D Moore |
source | https://packetstormsecurity.com/files/83213/Microsoft-Workstation-Service-NetAddAlternateComputerName-Overflow.html |
title | Microsoft Workstation Service NetAddAlternateComputerName Overflow |
Seebug
bulletinFamily | exploit |
description | <p><strong>漏洞描述:</strong></p><p>Microsoft DCE/RPC服务可以提供网络管理功能,这些功能提供管理用户帐户和网络资源管理的功能。部分网络管理功能在Windows目录下的"debug"子目录会生成调试日志文件。</p><p>Microsoft Workstation服务在处理日志记录时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提供超长参数触发缓冲区溢出,以SYSTEM权限在系统上执行任意指令。 </p><p>日志功能中使用vsprintf()在日志文件中生成字符串,日志文件名为"NetSetup.LOG",其保存在Windows "debug"目录中。 </p><p>这个记录函数有部分处理Workstation服务命令的函数调用,如"NetValidateName", "NetJoinDomain"等,在这NetValidateName()中,"computer name"作为第二个参数最终记录在日志文件中。</p><p> 如我们使用NetValidateName() API:NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0); 那么我们可以在远程主机中产生如下记录条目:</p><p>08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name </p><p>08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57 </p><p>如果我们指定超长字符串作为NetValidateName() API的第二个参数,如果调试文件可写就可以在特定主机上发生缓冲区溢出。</p><p> 一般如果是NTFS文件系统,在Windows目录中的"debug"目录不允许所有人可写,这表示不能使用NULL会话来生成日志。WsImpersonateClient() API在打开日志文件前调用,如果连接客户端没有有效的权限来写日志文件,那么CreateFile()就会失败,vsprintf()就不会被执行,因此此漏洞在FAT32系统和"%SYSTEMROOT%\debug"目录可写的情况下可被利用。 </p><p>但是部分扩展RPC函数实现在Windows XP上在调用WsImpersonateClient()前打开日志文件,不过这些RPC函数没有提供文档化说明,不过可以观察在WKSSVC.DLL中的函数表观察到。这些扩展命令的RPC号开始于0x1B,如0x1B调用NetpManageComputers(),但在打开日志文件前不调用WsImpersonateClient()。</p><p>NetpManageComputers()的使用没有被公开化,但是我们可以在"LMJoin.h"中找到NetAddAlternateComputerName() API的原型定义,这个API从NETAPI32.DLL导出,这个API也一样没有文档化。我们可以执行这个RPC函数(0x1B)使用如下API产生包:</p><p>NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0); </p><p>我们不需要特殊权限在远程主机上写第二个产生到日志文件中,如定义超长Unicode字符串作为第二个参数("AlternateName"),在第一个参数定义的远程系统就会由于缓冲区溢出而崩溃。Unicode字符串"long_unicode_string"会在日志记录函数调用前被转换为ASCII字符串。</p><p><strong>漏洞影响:</strong></p><p>受影响系统:</p><p>•Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 </p><p>•Microsoft Windows XP, Microsoft Windows XP Service Pack 1 </p><p>•Microsoft Windows XP 64-Bit Edition</p><p>不受影响的系统:</p><p>•Microsoft Windows NT Workstation 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6</p><p>•Microsoft Windows Millennium Edition </p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 </p><p>•Microsoft Windows Server 2003 </p><p>•Microsoft Windows Server 2003 64-Bit Edition </p><p><strong>CVE-ID:CVE-2003-0812 </strong></p><p><strong>CNNVD-ID:CNNVD-200312-058</strong></p><p><strong>CNVD-ID:CNVD-2003-3336 </strong></p><p><strong>解决方案:</strong></p><p>Microsoft</p><p> --------- </p><p>Microsoft已经为此发布了一个安全公告(MS03-049)以及相应补丁:</p><p>MS03-049:Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS03-049.asp">http://www.microsoft.com/technet/security/bulletin/MS03-049.asp</a></p><p>补丁下载:Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2467FE46-D167-479C-9638-D4D79483F261&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=2467FE46-D167-479C-9638-D4D79483F261&displaylang=en</a> </p><p>Microsoft Windows XP, Microsoft Windows XP Service Pack 1 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en</a> </p><p>Microsoft Windows XP 64-Bit Edition <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en</a></p> |
id | SSV:13799 |
last seen | 2017-11-19 |
modified | 2003-12-04 |
published | 2003-12-04 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-13799 |
title | MS Windows XP Workstation Service Remote Exploit (MS03-049) |
References
- http://marc.info/?l=bugtraq&m=106859247713009&w=2
- http://marc.info/?l=bugtraq&m=106865197102041&w=2
- http://www.cert.org/advisories/CA-2003-28.html
- http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml
- http://www.kb.cert.org/vuls/id/567620
- http://www.securityfocus.com/bid/9011
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-049
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A331
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A575