Vulnerabilities > CVE-2004-0120 - Denial of Service vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
microsoft
nessus
exploit available
NVD
Published: 2004-06-01
Updated: 2018-10-12

Summary

The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Exploit-Db

descriptionMS Windows IIS SSL Remote Denial of Service Exploit (MS04-011). CVE-2004-0120. Dos exploit for windows platform
idEDB-ID:176
last seen2016-01-31
modified2004-04-14
published2004-04-14
reporterDavid Barroso
sourcehttps://www.exploit-db.com/download/176/
titleMicrosoft Windows IIS - SSL Remote Denial of Service Exploit MS04-011

Nessus

NASL familyWindows
NASL idMS_KB835732_SSL.NASL
descriptionThe remote host seems to be running a version of Microsoft SSL library which is vulnerable to several flaws, ranging from a denial of service to remote code executing. Any Microsoft service that utilizes SSL is vulnerable. This includes IIS 4.0, IIS 5.0, IIS 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, and Analysis Services 2000 (included with SQL Server 2000).
last seen2020-06-01
modified2020-06-02
plugin id12204
published2004-04-13
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/12204
titleMS04-011: Microsoft Windows SSL Library Malformed Message Remote DoS (835732) (uncredentialed check)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(12204);
 script_version("1.32");

 script_cve_id("CVE-2004-0120");
 script_bugtraq_id(10115);
 script_xref(name:"MSFT", value:"MS04-011");
 script_xref(name:"MSKB", value:"835732");

 script_name(english:"MS04-011: Microsoft Windows SSL Library Malformed Message Remote DoS (835732) (uncredentialed check)");

 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote host seems to be running a version of Microsoft SSL library
which is vulnerable to several flaws, ranging from a denial of service
to remote code executing.

Any Microsoft service that utilizes SSL is vulnerable.  This
includes IIS 4.0, IIS 5.0, IIS 5.1, Exchange Server 5.5, Exchange Server
2000, Exchange Server 2003, and Analysis Services 2000 (included with
SQL Server 2000)." );
 script_set_attribute(attribute:"solution", value:
"Install the Windows cumulative update from Microsoft." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011" );

 script_set_attribute(attribute:"plugin_publication_date", value: "2004/04/13");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/04/14");
 script_cvs_date("Date: 2018/11/15 20:50:27");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_summary(english:"Checks for Microsoft Hotfix KB835732 by talking to the remote SSL service");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows");
 script_dependencie("find_service1.nasl");
 script_require_ports("Transport/SSL", 443, 636);
 exit(0);
}

# start script

include("misc_func.inc");
ports = get_kb_list("Transport/SSL");
if ( isnull(ports) ) ports = make_list(443, 636);
else { 
       ports = add_port_in_list(list:make_list(ports), port:443);
       ports = add_port_in_list(list:ports, port:636);
}




req = raw_string(0xFF, 0xFF, 0xFF, 0xFF) + string("NESSUS");                          # Identifier
req = req + raw_string(0xFF, 0x37, 0x57, 0x73, 0x35, 0x33, 0xE6, 0x80, 0x33, 0x42);   # continuation data
req = req + crap(data:raw_string(0xFF), length:70);                             # these bytes don't matter 

foreach port (ports) {
    if(get_port_state(port)) {
        soc=open_sock_tcp(port, transport:ENCAPS_IP);
        if (soc) { 
            send(socket:soc, data:req);

            for (i=0; i<4; i++) {
                r = recv(socket:soc, length:7, timeout:1);
                if (r) break;
            }
            close(soc);

            # so, pre-patch, IIS will send back 
            # 80 05 05 00 03 00 00
            #
            # post-patch, IIS just FINs the connection


            if (r) {
                if (strlen(r) == 7) { 
                    if ( (ord(r[0]) == 0x80) && (ord(r[1]) == 0x05) && (ord(r[2]) == 0x05) ) security_hole(port);
                }
            }
        }
    }
}

Oval

  • accepted2015-08-10T04:01:11.375-04:00
    classvulnerability
    contributors
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameGlenn Strickland
      organizationSecure Elements, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    commentMicrosoft Windows Server 2003 is installed
    ovaloval:org.mitre.oval:def:128
    descriptionThe Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.
    familywindows
    idoval:org.mitre.oval:def:885
    statusaccepted
    submitted2004-04-13T12:00:00.000-04:00
    titleWindows Server 2003 SSL Library Denial of Service
    version72
  • accepted2015-08-10T04:01:11.507-04:00
    classvulnerability
    contributors
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameChristine Walzer
      organizationThe MITRE Corporation
    • nameGlenn Strickland
      organizationSecure Elements, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameSudhir Gandhe
      organizationTelos
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Mikhno
      organizationALTX-SOFT
    definition_extensions
    • commentMicrosoft Windows XP (32-bit) is installed
      ovaloval:org.mitre.oval:def:1353
    • commentMicrosoft Windows XP SP1 (32-bit) is installed
      ovaloval:org.mitre.oval:def:1
    descriptionThe Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.
    familywindows
    idoval:org.mitre.oval:def:886
    statusaccepted
    submitted2004-04-13T12:00:00.000-04:00
    titleWindows XP SSL Library Denial of Service
    version78
  • accepted2007-05-23T15:05:54.714-04:00
    classvulnerability
    contributors
    • nameDavid Proulx
      organizationThe MITRE Corporation
    • nameGlenn Strickland
      organizationSecure Elements, Inc.
    descriptionThe Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.
    familywindows
    idoval:org.mitre.oval:def:892
    statusaccepted
    submitted2004-04-13T12:00:00.000-04:00
    titleWindows 2000 SSL Library Denial of Service
    version65

References