Vulnerabilities > CVE-2004-0124 - Unspecified vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 7 |
Nessus
NASL family Windows NASL id SMB_KB828741.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 21655 published 2007-03-16 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21655 title MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(21655); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124"); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Cumulative Update for Microsoft RPC/DCOM (828741) (uncredentialed check)"); script_summary(english:"Checks for MS04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker may exploit one of these flaws to execute arbitrary code on the remote system." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"Windows"); script_dependencies("smb_nativelanman.nasl"); script_require_keys("Host/OS/smb"); script_require_ports(135, 139, 445); exit(0); } # include ('smb_func.inc'); function SCMActivatorGetClassObject (socket, type) { local_var data, ret, resp, code; data = # struct 1 raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + raw_word(w:0) + raw_word(w:0) + raw_dword(d:0) + raw_dword(d:0) + raw_dword(d:0) + # struct 2 raw_dword(d:0) + raw_dword(d:0) + # struct4 raw_dword(d:0x20000) + raw_dword(d:4) + raw_dword(d:4) + raw_dword(d:0); ret = dce_rpc_request (code:0x03, data:data); send (socket:socket, data:ret); resp = recv (socket:socket, length:4096); if (isnull(resp)) return 0; if (strlen(resp) < 32 || ord(resp[2]) != 3) return 0; # 0x80010110 -> bad dcom header. Path should check it is a local call first and return ACCESS_DENIED code = get_dword (blob:resp, pos:24); if (code == 0x80010110) return 1; return 0; } os = get_kb_item("Host/OS/smb"); if ( "Windows" >!< os ) exit (0); port = 135; if ( ! get_port_state(port) ) exit(0); soc = open_sock_tcp (port); if (!soc) exit (0); ret = dce_rpc_bind(cid:session_get_cid(), uuid:"00000136-0000-0000-c000-000000000046", vers:0); send (socket:soc, data:ret); resp = recv (socket:soc, length:4096); if (!resp) { close (soc); exit (0); } ret = dce_rpc_parse_bind_ack (data:resp); if (isnull (ret) || (ret != 0)) { close (soc); exit (0); } ret = SCMActivatorGetClassObject (socket:soc); if (ret == 1) security_hole(port);NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS04-012.NASL description The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system. last seen 2020-06-01 modified 2020-06-02 plugin id 12206 published 2004-04-13 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12206 title MS04-012: Microsoft Hotfix (credentialed check) (828741) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12206); script_version("1.45"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2003-0813", "CVE-2004-0116", "CVE-2003-0807", "CVE-2004-0124" ); script_bugtraq_id(10121, 10123, 10127, 8811); script_xref(name:"CERT", value:"547820"); script_xref(name:"CERT", value:"698564"); script_xref(name:"CERT", value:"212892"); script_xref(name:"MSFT", value:"MS04-012"); script_xref(name:"MSKB", value:"828741"); script_name(english:"MS04-012: Microsoft Hotfix (credentialed check) (828741)"); script_summary(english:"Checks for ms04-012"); script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote host."); script_set_attribute(attribute:"description", value: "The remote host has multiple bugs in its RPC/DCOM implementation (828741). An attacker could exploit one of these flaws to execute arbitrary code on the remote system."); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-012"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows NT, 2000, XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/10"); script_set_attribute(attribute:"patch_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_family(english:"Windows : Microsoft Bulletins"); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS04-012'; kb = '828741'; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(nt:'6', win2k:'2,4', xp:'0,1', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( hotfix_is_vulnerable(os:"5.2", sp:0, file:"Rpcrt4.dll", version:"5.2.3790.137", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:1, file:"Rpcrt4.dll", version:"5.1.2600.1361", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.1", sp:0, file:"Rpcrt4.dll", version:"5.1.2600.135", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"5.0", file:"Rpcrt4.dll", version:"5.0.2195.6904", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.7230", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"4.0", file:"Rpcrt4.dll", version:"4.0.1381.33551", min_version:"4.0.1381.33000", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }
Oval
accepted 2008-03-24T04:00:11.022-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Jonathan Baker organization The MITRE Corporation
definition_extensions comment Microsoft Windows NT is installed oval oval:org.mitre.oval:def:36 description The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." family windows id oval:org.mitre.oval:def:1041 status accepted submitted 2004-04-19T12:00:00.000-04:00 title DCOM RPC Object Identity Windows NT Vulnerability version 72 accepted 2004-06-16T12:00:00.000-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation description The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." family windows id oval:org.mitre.oval:def:1062 status accepted submitted 2004-04-20T12:00:00.000-04:00 title DCOM RPC Object Identity Windows 2000 Vulnerability version 64 accepted 2004-06-16T12:00:00.000-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation description The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." family windows id oval:org.mitre.oval:def:1066 status accepted submitted 2004-04-13T12:00:00.000-04:00 title DCOM RPC Object Identity Windows 2003 Vulnerability version 64 accepted 2011-05-16T04:00:16.742-04:00 class vulnerability contributors name Christine Walzer organization The MITRE Corporation name Christine Walzer organization The MITRE Corporation name Shane Shaffer organization G2, Inc. name Sudhir Gandhe organization Telos name Shane Shaffer organization G2, Inc.
description The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." family windows id oval:org.mitre.oval:def:1072 status accepted submitted 2004-04-20T12:00:00.000-04:00 title DCOM RPC Object Identity Windows XP Vulnerability version 70
References
- http://secunia.com/advisories/11065/
- http://www.ciac.org/ciac/bulletins/o-115.shtml
- http://www.kb.cert.org/vuls/id/212892
- http://www.securityfocus.com/bid/10121
- http://www.us-cert.gov/cas/techalerts/TA04-104A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-012
- https://exchange.xforce.ibmcloud.com/vulnerabilities/15711
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1041
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1062
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1066
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1072