Vulnerabilities > CVE-2003-0812 - Remote Buffer Overflow vulnerability in Microsoft Windows 2000 and Windows XP

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
metasploit

Summary

Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.

Vulnerable Configurations

Part Description Count
OS
Microsoft
11

Exploit-Db

  • descriptionMS Windows 2000/XP Workstation Service Overflow (MS03-049). CVE-2003-0812. Remote exploit for windows platform
    idEDB-ID:119
    last seen2016-01-31
    modified2003-11-12
    published2003-11-12
    reportereEYe
    sourcehttps://www.exploit-db.com/download/119/
    titleMicrosoft Windows 2000/XP - Workstation Service Overflow MS03-049
  • descriptionMS Windows XP Workstation Service Remote Exploit (MS03-049). CVE-2003-0812. Remote exploit for windows platform
    idEDB-ID:130
    last seen2016-01-31
    modified2003-12-04
    published2003-12-04
    reporterfiNis
    sourcehttps://www.exploit-db.com/download/130/
    titleMicrosoft Windows XP Workstation Service Remote Exploit MS03-049
  • descriptionMS Windows Workstation Service WKSSVC Remote Exploit (MS03-049). CVE-2003-0812. Remote exploit for windows platform
    idEDB-ID:123
    last seen2016-01-31
    modified2003-11-14
    published2003-11-14
    reportersnooq
    sourcehttps://www.exploit-db.com/download/123/
    titleMicrosoft Windows Workstation Service WKSSVC Remote Exploit MS03-049
  • descriptionMicrosoft Workstation Service NetAddAlternateComputerName Overflow. CVE-2003-0812. Remote exploit for windows platform
    idEDB-ID:16378
    last seen2016-02-01
    modified2010-05-09
    published2010-05-09
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16378/
    titleMicrosoft Workstation Service NetAddAlternateComputerName Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in the NetApi32 NetAddAlternateComputerName function using the Workstation service in Windows XP.
idMSF:EXPLOIT/WINDOWS/SMB/MS03_049_NETAPI
last seen2020-01-12
modified2017-07-24
published2006-09-10
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0812
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms03_049_netapi.rb
titleMS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS03-049.NASL
descriptionThe remote version of Windows contains a flaw in the function NetpValidateName() in the WorkStation service that could allow an attacker to execute arbitrary code on the remote host with the SYSTEM privileges. A series of worms (Welchia, Spybot, ...) are known to exploit this vulnerability in the wild.
last seen2020-06-01
modified2020-06-02
plugin id11921
published2003-11-11
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11921
titleMS03-049: Buffer Overflow in the Workstation Service (828749)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11921);
 script_version("1.57");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2003-0812");
 script_bugtraq_id(9011);
 script_xref(name:"CERT-CC", value:"CA-2003-28");
 script_xref(name:"MSFT", value:"MS03-049");
 script_xref(name:"CERT", value:"567620");
 script_xref(name:"MSKB", value:"828035");
 script_xref(name:"MSKB", value:"828749");

 script_name(english:"MS03-049: Buffer Overflow in the Workstation Service (828749)");
 script_summary(english:"Checks for hotfix 828749");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a flaw in the function
NetpValidateName() in the WorkStation service that could allow an
attacker to execute arbitrary code on the remote host with the SYSTEM
privileges.

A series of worms (Welchia, Spybot, ...) are known to exploit this
vulnerability in the wild.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2003/ms03-049");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000 and XP.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS03-049 Microsoft Workstation Service NetAddAlternateComputerName Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2003/11/11");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/11/11");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/11/11");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS03-049';
kbs = make_list("828035", "828749");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'2,4', xp:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);


if (
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Msasn1.dll", version:"5.1.2600.1309", dir:"\system32", bulletin:bulletin, kb:'828035') ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"Msasn1.dll", version:"5.1.2600.121", dir:"\system32", bulletin:bulletin, kb:'828035') ||

  hotfix_is_vulnerable(os:"5.0", file:"wkssvc.dll", version:"5.0.2195.6862", dir:"\system32", bulletin:bulletin, kb:'828749')
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2011-10-03T04:00:05.904-04:00
    classvulnerability
    contributors
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameAndrew Buttner
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • namePradeep R B
      organizationSecPod Technologies
    descriptionStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.
    familywindows
    idoval:org.mitre.oval:def:331
    statusaccepted
    submitted2003-11-12T12:00:00.000-04:00
    titleWindows XP Workstation Service Logging Function Buffer Overflow
    version73
  • accepted2011-10-03T04:00:06.592-04:00
    classvulnerability
    contributors
    • nameTiffany Bergeron
      organizationThe MITRE Corporation
    • namePradeep R B
      organizationSecPod Technologies
    descriptionStack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API.
    familywindows
    idoval:org.mitre.oval:def:575
    statusaccepted
    submitted2003-11-12T12:00:00.000-04:00
    titleWindows 2000 Workstation Service Logging Function Buffer Overflow
    version66

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83213/ms03_049_netapi.rb.txt
idPACKETSTORM:83213
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/83213/Microsoft-Workstation-Service-NetAddAlternateComputerName-Overflow.html
titleMicrosoft Workstation Service NetAddAlternateComputerName Overflow

Seebug

bulletinFamilyexploit
description<p><strong>漏洞描述:</strong></p><p>Microsoft DCE/RPC服务可以提供网络管理功能,这些功能提供管理用户帐户和网络资源管理的功能。部分网络管理功能在Windows目录下的"debug"子目录会生成调试日志文件。</p><p>Microsoft Workstation服务在处理日志记录时缺少充分的边界缓冲区检查,远程攻击者可以利用这个漏洞提供超长参数触发缓冲区溢出,以SYSTEM权限在系统上执行任意指令。 </p><p>日志功能中使用vsprintf()在日志文件中生成字符串,日志文件名为"NetSetup.LOG",其保存在Windows "debug"目录中。 </p><p>这个记录函数有部分处理Workstation服务命令的函数调用,如"NetValidateName", "NetJoinDomain"等,在这NetValidateName()中,"computer name"作为第二个参数最终记录在日志文件中。</p><p>&nbsp;如我们使用NetValidateName() API:NetValidateName(L"\\\\192.168.0.100","AAAAAAAA",NULL,NULL,0); 那么我们可以在远程主机中产生如下记录条目:</p><p>08/13 13:01:01 NetpValidateName: checking to see if '' is valid as type 0 name </p><p>08/13 13:01:01 NetpValidateName: '' is not a valid NetBIOS \\AAAAAAAA name: 0x57 </p><p>如果我们指定超长字符串作为NetValidateName() API的第二个参数,如果调试文件可写就可以在特定主机上发生缓冲区溢出。</p><p>&nbsp;一般如果是NTFS文件系统,在Windows目录中的"debug"目录不允许所有人可写,这表示不能使用NULL会话来生成日志。WsImpersonateClient() API在打开日志文件前调用,如果连接客户端没有有效的权限来写日志文件,那么CreateFile()就会失败,vsprintf()就不会被执行,因此此漏洞在FAT32系统和"%SYSTEMROOT%\debug"目录可写的情况下可被利用。 </p><p>但是部分扩展RPC函数实现在Windows XP上在调用WsImpersonateClient()前打开日志文件,不过这些RPC函数没有提供文档化说明,不过可以观察在WKSSVC.DLL中的函数表观察到。这些扩展命令的RPC号开始于0x1B,如0x1B调用NetpManageComputers(),但在打开日志文件前不调用WsImpersonateClient()。</p><p>NetpManageComputers()的使用没有被公开化,但是我们可以在"LMJoin.h"中找到NetAddAlternateComputerName() API的原型定义,这个API从NETAPI32.DLL导出,这个API也一样没有文档化。我们可以执行这个RPC函数(0x1B)使用如下API产生包:</p><p>NetAddAlternateComputerName(L"\\\\192.168.0.200",long_unicode_string,NULL,NULL,0); </p><p>我们不需要特殊权限在远程主机上写第二个产生到日志文件中,如定义超长Unicode字符串作为第二个参数("AlternateName"),在第一个参数定义的远程系统就会由于缓冲区溢出而崩溃。Unicode字符串"long_unicode_string"会在日志记录函数调用前被转换为ASCII字符串。</p><p><strong>漏洞影响:</strong></p><p>受影响系统:</p><p>•Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 </p><p>•Microsoft Windows XP, Microsoft Windows XP Service Pack 1 </p><p>•Microsoft Windows XP 64-Bit Edition</p><p>不受影响的系统:</p><p>•Microsoft Windows NT Workstation 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Service Pack 6a </p><p>•Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6</p><p>•Microsoft Windows Millennium Edition </p><p>•Microsoft Windows XP 64-Bit Edition Version 2003 </p><p>•Microsoft Windows Server 2003 </p><p>•Microsoft Windows Server 2003 64-Bit Edition </p><p><strong>CVE-ID:CVE-2003-0812 </strong></p><p><strong>CNNVD-ID:CNNVD-200312-058</strong></p><p><strong>CNVD-ID:CNVD-2003-3336 </strong></p><p><strong>解决方案:</strong></p><p>Microsoft</p><p>&nbsp;--------- </p><p>Microsoft已经为此发布了一个安全公告(MS03-049)以及相应补丁:</p><p>MS03-049:Buffer Overrun in the Workstation Service Could Allow Code Execution (828749)链接:<a href="http://www.microsoft.com/technet/security/bulletin/MS03-049.asp">http://www.microsoft.com/technet/security/bulletin/MS03-049.asp</a></p><p>补丁下载:Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2467FE46-D167-479C-9638-D4D79483F261&amp;displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=2467FE46-D167-479C-9638-D4D79483F261&amp;displaylang=en</a> </p><p>Microsoft Windows XP, Microsoft Windows XP Service Pack 1 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&amp;displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&amp;displaylang=en</a> </p><p>Microsoft Windows XP 64-Bit Edition <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&amp;displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&amp;displaylang=en</a></p>
idSSV:13799
last seen2017-11-19
modified2003-12-04
published2003-12-04
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-13799
titleMS Windows XP Workstation Service Remote Exploit (MS03-049)