Vulnerabilities > CVE-2004-0205 - Remote Buffer Overflow vulnerability in Microsoft IIS 4 Redirect

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
avaya
microsoft
nessus

Summary

Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS04-021.NASL
descriptionThe remote host has a version of IIS 4.0 that could allow an attacker to take the control of the remote web server and execute arbitrary commands on the remote host with the SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id13639
published2004-07-13
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/13639
titleMS04-021: IIS Redirection Vulnerability (credentialed check) (841373)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(13639);
 script_version("1.35");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2004-0205");
 script_bugtraq_id(10706);
 script_xref(name:"MSFT", value:"MS04-021");
 script_xref(name:"MSKB", value:"841373");

 script_name(english:"MS04-021: IIS Redirection Vulnerability (credentialed check) (841373)");
 script_summary(english:"Checks for ms04-021 over the registry");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary code can be executed on the remote web server.");
 script_set_attribute(attribute:"description", value:
"The remote host has a version of IIS 4.0 that could allow an attacker
to take the control of the remote web server and execute arbitrary
commands on the remote host with the SYSTEM privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-021");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for IIS 4.0.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2004/07/13");
 script_set_attribute(attribute:"patch_publication_date", value:"2004/07/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS04-021';
kb = '841373';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(nt:'6') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (hotfix_is_vulnerable(os:"4.0", file:"w3svc.dll", version:"4.2.788.1", dir:"\system32\inetsrv", bulletin:bulletin, kb:kb))
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2008-03-24T04:00:23.139-04:00
classvulnerability
contributors
  • nameDavid Proulx
    organizationThe MITRE Corporation
  • nameJonathan Baker
    organizationThe MITRE Corporation
  • nameJonathan Baker
    organizationThe MITRE Corporation
  • nameGlenn Strickland
    organizationSecure Elements, Inc.
  • nameJonathan Baker
    organizationThe MITRE Corporation
definition_extensions
commentMicrosoft Windows NT is installed
ovaloval:org.mitre.oval:def:36
descriptionBuffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.
familywindows
idoval:org.mitre.oval:def:2204
statusaccepted
submitted2004-07-13T12:00:00.000-04:00
titleIIS4.0 Redirect Function Buffer Overflow
version40