Vulnerabilities > CVE-2003-0813 - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Microsoft products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 10 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions via Symbolic Links This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Windows NASL id SMB_KB828741.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 21655 published 2007-03-16 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21655 title MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21655); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124"); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)"); script_summary(english:"Checks for MS04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(135, 139, 445); exit(0); } # include ('smb_func.inc'); function SCMActivatorGetClassObject (socket, type) { local_var data, ret, resp, code; data = # struct 1 raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + # struct 2 raw_dword(d:0) + raw_dword(d:0) + # struct4 raw_dword(d:0x20000) + raw_dword(d:4) + raw_dword(d:4) + raw_dword(d:0); ret = dce_rpc_request (code:0x03, data:data); send (socket:socket, data:ret); resp = recv (socket:socket, length:4096); if (isnull(resp)) return 0; if (strlen(resp) < 32 || ord(resp[2]) != 3) return 0; # 0x80010110 -> bad dcom header. Path should check it is a local call first and return ACCESS_DENIED code = get_dword (blob:resp, pos:24); if (code == 0x80010110) return 1; return 0; } os = get_kb_item("Host/OS/smb"); if ( "Windows" >!< os ) exit (0); port = 135; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"00000136-0000-0000-c000-000000000046", vers:0); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } ret = SCMActivatorGetClassObject (socket:soc); if (ret == 1) security_hole(port);
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-012.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 12206 published 2004-04-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12206 title MS04-012: Microsoft Hotfix (credentialed check) (828741) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12206); script_version("1.45"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124" ); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"CERT", value:"547820"); script_xref(name:"CERT", value:"698564"); script_xref(name:"CERT", value:"212892"); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Microsoft Hotfix (credentialed check) (828741)"); script_summary(english:"Checks for ms04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-012'; kb = '828741'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rpcrt4.dll", version:"5.2.3790.137", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.135", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.6904", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.7230", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.33551", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2004-06-16T12:00:00.000-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation description A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. family windows id oval:org.mitre.oval:def:893 status accepted submitted 2004-04-20T12:00:00.000-04:00 title Windows 2000 RPCSS DCOM Buffer Overflow (Blaster, Test 3) version 65 accepted 2014-07-14T04:01:31.668-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows Server 2003 is installed oval oval:org.mitre.oval:def:128 description A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. family windows id oval:org.mitre.oval:def:894 status accepted submitted 2004-04-20T12:00:00.000-04:00 title Server 2003 RPCSS DCOM Buffer Overflow version 71 accepted 2015-08-10T04:01:11.914-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows XP (32-bit) is installed oval oval:org.mitre.oval:def:1353 comment Microsoft Windows XP SP1 (32-bit) is installed oval oval:org.mitre.oval:def:1
description A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. family windows id oval:org.mitre.oval:def:900 status accepted submitted 2004-04-20T12:00:00.000-04:00 title Windows XP RPCSS DCOM Buffer Overflow (Blaster) version 75
References
- http://www.kb.cert.org/vuls/id/547820
- http://xforce.iss.net/xforce/alerts/id/155
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011870.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011886.html
- http://www.securitylab.ru/_exploits/rpc2.c.txt
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/011901.html
- http://www.us-cert.gov/cas/techalerts/TA04-104A.html
- http://www.securityfocus.com/bid/8811
- http://marc.info/?l=bugtraq&m=106579825211708&w=2
- http://marc.info/?l=bugtraq&m=106588827513795&w=2
- http://marc.info/?l=ntbugtraq&m=106580303918155&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A900
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A894
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A893
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-012