Vulnerabilities > CVE-2004-0116 - Remote Denial Of Service vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 3 |
Nessus
NASL family Windows NASL id SMB_KB828741.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 21655 published 2007-03-16 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21655 title MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21655); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124"); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)"); script_summary(english:"Checks for MS04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(135, 139, 445); exit(0); } # include ('smb_func.inc'); function SCMActivatorGetClassObject (socket, type) { local_var data, ret, resp, code; data = # struct 1 raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + # struct 2 raw_dword(d:0) + raw_dword(d:0) + # struct4 raw_dword(d:0x20000) + raw_dword(d:4) + raw_dword(d:4) + raw_dword(d:0); ret = dce_rpc_request (code:0x03, data:data); send (socket:socket, data:ret); resp = recv (socket:socket, length:4096); if (isnull(resp)) return 0; if (strlen(resp) < 32 || ord(resp[2]) != 3) return 0; # 0x80010110 -> bad dcom header. Path should check it is a local call first and return ACCESS_DENIED code = get_dword (blob:resp, pos:24); if (code == 0x80010110) return 1; return 0; } os = get_kb_item("Host/OS/smb"); if ( "Windows" >!< os ) exit (0); port = 135; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"00000136-0000-0000-c000-000000000046", vers:0); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } ret = SCMActivatorGetClassObject (socket:soc); if (ret == 1) security_hole(port);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-012.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 12206 published 2004-04-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12206 title MS04-012: Microsoft Hotfix (credentialed check) (828741) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12206); script_version("1.45"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124" ); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"CERT", value:"547820"); script_xref(name:"CERT", value:"698564"); script_xref(name:"CERT", value:"212892"); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Microsoft Hotfix (credentialed check) (828741)"); script_summary(english:"Checks for ms04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-012'; kb = '828741'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rpcrt4.dll", version:"5.2.3790.137", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.135", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.6904", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.7230", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.33551", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2011-05-16T04:03:37.564-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. family windows id oval:org.mitre.oval:def:955 status accepted submitted 2004-04-20T12:00:00.000-04:00 title Windows 2000 RPCSS Service DCOM Activation Denial of Service version 69 accepted 2014-07-14T04:01:31.800-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows Server 2003 is installed oval oval:org.mitre.oval:def:128 description An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. family windows id oval:org.mitre.oval:def:957 status accepted submitted 2004-04-20T12:00:00.000-04:00 title Server 2003 RPCSS Service DCOM Activation Denial of Service version 71 accepted 2015-08-10T04:01:12.307-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc. name Maria Mikhno organization ALTX-SOFT
definition_extensions comment Microsoft Windows XP (32-bit) is installed oval oval:org.mitre.oval:def:1353 comment Microsoft Windows XP SP1 (32-bit) is installed oval oval:org.mitre.oval:def:1
description An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. family windows id oval:org.mitre.oval:def:958 status accepted submitted 2004-04-20T12:00:00.000-04:00 title Windows XP RPCSS Service DCOM Activation Denial of Service version 77
References
- http://secunia.com/advisories/11065/
- http://securitytracker.com/alerts/2004/Apr/1009758.html
- http://www.ciac.org/ciac/bulletins/o-115.shtml
- http://www.eeye.com/html/Research/Advisories/AD20040413A.html
- http://www.kb.cert.org/vuls/id/417052
- http://www.securityfocus.com/bid/10127
- http://www.us-cert.gov/cas/techalerts/TA04-104A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-012
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15708
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A955
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A957
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A958