Vulnerabilities > CVE-2004-0117 - Unspecified vulnerability in Microsoft products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
microsoft
nessus

Summary

Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS04-011.NASL
descriptionThe remote host is missing a critical Microsoft Windows Security Update (835732). This update fixes various flaws that could allow an attacker to execute arbitrary code on the remote host. A series of worms (Sasser) are known to exploit this vulnerability in the wild.
last seen2020-06-01
modified2020-06-02
plugin id12205
published2004-04-13
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12205
titleMS04-011: Microsoft Hotfix (credentialed check) (835732)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(12205);
 script_version("1.52");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id(
  "CVE-2003-0533", "CVE-2003-0663", "CVE-2003-0719", "CVE-2003-0806",
  "CVE-2003-0906", "CVE-2003-0907", "CVE-2003-0908", "CVE-2003-0909",
  "CVE-2003-0910", "CVE-2004-0117", "CVE-2004-0118", "CVE-2004-0119",
  "CVE-2004-0121"
 );
 script_bugtraq_id(10111, 10113, 10117, 10119, 10122, 10124, 10125);
 script_xref(name:"CERT", value:"305206");
 script_xref(name:"CERT", value:"753212");
 script_xref(name:"CERT", value:"639428");
 script_xref(name:"CERT", value:"471260");
 script_xref(name:"CERT", value:"547028");
 script_xref(name:"CERT", value:"260588");
 script_xref(name:"CERT", value:"526084");
 script_xref(name:"CERT", value:"206468");
 script_xref(name:"CERT", value:"353956");
 script_xref(name:"CERT", value:"122076");
 script_xref(name:"CERT", value:"783748");
 script_xref(name:"CERT", value:"638548");
 script_xref(name:"MSFT", value:"MS04-011");
 script_xref(name:"MSKB", value:"835732");

 script_name(english:"MS04-011: Microsoft Hotfix (credentialed check) (835732)");
 script_summary(english:"Checks for ms04-011");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host is missing a critical Microsoft Windows Security Update
(835732).

This update fixes various flaws that could allow an attacker to execute
arbitrary code on the remote host.

A series of worms (Sasser) are known to exploit this vulnerability in
the wild.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows NT, 2000, XP and
2003.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");
 script_set_attribute(attribute:"exploited_by_malware", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'MS04-011 Microsoft Private Communications Transport Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/03/09");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-011';
kb = '835732';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"Lsasrv.dll", version:"5.2.3790.134", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:1, file:"Lsasrv.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:0, file:"Lsasrv.dll", version:"5.1.2600.134", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Lsasrv.dll", version:"5.0.2195.6902", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"4.0", file:"Winsrv.dll", version:"4.0.1381.7260", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

  • accepted2004-05-25T12:00:00.000-04:00
    classvulnerability
    contributors
    nameJonathan Baker
    organizationThe MITRE Corporation
    descriptionUnknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.
    familywindows
    idoval:org.mitre.oval:def:907
    statusaccepted
    submitted2004-04-13T12:00:00.000-04:00
    titleWindows 2000 H.323 Protocol Remote Code Execution Vulnerability
    version64
  • accepted2015-08-10T04:01:12.151-04:00
    classvulnerability
    contributors
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Windows Server 2003 is installed
    ovaloval:org.mitre.oval:def:128
    descriptionUnknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.
    familywindows
    idoval:org.mitre.oval:def:946
    statusaccepted
    submitted2004-04-13T12:00:00.000-04:00
    titleWindows Server 2003 H.323 Protocol Remote Code Execution Vulnerability
    version71
  • accepted2015-08-10T04:01:12.568-04:00
    classvulnerability
    contributors
    • nameJonathan Baker
      organizationThe MITRE Corporation
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP SP1 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1
    descriptionUnknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.
    familywindows
    idoval:org.mitre.oval:def:964
    statusaccepted
    submitted2004-04-13T12:00:00.000-04:00
    titleWindows XP H.323 Protocol Remote Code Execution Vulnerability
    version74